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Preface 



This volume contains the proceedings of the 7th International Seminar on Re- 
lational Methods in Computer Science (RelMiCS 7) and the 2nd International 
Workshop on Applications of Kleene Algebra. The common meeting took place in 
Bad Malente (near Kiel), Germany, from May May 12-17, 2003. Its purpose was 
to bring together researchers from various subdisciplines of Computer Science, 
Mathematics and related fields who use the calculi of relations and/or Kleene 
algebra as methodological and conceptual tools in their work. 

This meeting is the joint continuation of two different series of meetings. 
Previous RelMiCS seminars were held in Schloss Dagstuhl (Germany) in Jan- 
uary 1994, Parati (Brazil) in July 1995, Hammamet (Tunisia) in January 1997, 
Warsaw (Poland) in September 1998, Quebec (Canada) in January 2000, and 
Oisterwijk (The Netherlands) in October 2001. The first workshop on applica- 
tions of Kleene algebra was also held in Schloss Dagstuhl in February 2001. To 
join these two events in a common meeting was mainly motivated by the sub- 
stantial common interests and overlap of the two communities. We hope that this 
leads to fruitful interactions and opens new and interesting research directions. 

This volume contains 23 contributions by researchers from all over the world: 
21 regular papers and two invited papers Choice Procedures in Pairwise Com- 
parison of Multiple- Attribute Decision Making Methods by Raymond Bisdorff 
and Marc Roubens and Kleene Algebra with Relations by Jules Desharnais. The 
papers show that relational algebra and Kleene algebra have wide-ranging di- 
versity and applicability in theory and practice. Just to give an (incomplete) 
overview, the papers deal with problems appearing in software technology and 
program verification and analysis, the formal treatment of pointer algorithms 
and of algorithms for many problems on discrete structures, applications of rela- 
tions in combination with fixed points to investigate games, questions arising in 
the context of databases and data mining, the relational modeling of real-world 
situations, many topics from artificial intelligence such as knowledge representa- 
tion and acquisition, preference modeling and scaling methods, and, finally, the 
use of tools for prototyping and programming with relations and for relational 
reasoning. 

We are very grateful to the members of the program committee and the 
external referees for their care and diligence in reviewing the submitted papers. 
We also want to thank Ulrike Pollakowski-Geuther, Ulf Milanese, and Frank 
Neumann for their assistance; they made organizing this meeting a pleasant 
experience. Finally, we want to thank Gunther Gediga and Gunther Schmidt for 
their help. 
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Choice Procedures in Pairwise Comparison 
Multiple- Attribute Decision Making Methods 



Raymond Bisdorff 1 and Marc Roubens 2 

1 Department of Management and Informatics 
University Center of Luxembourg 
Bisdorff@cu.lu 
2 Department of Mathematics 
University of Liege 
M . RoubensOulg .ac.be 



Abstract. We consider extensions of some classical rational axioms in- 
troduced in conventional choice theory to valued preference relations. 
The concept of kernel is revisited using two ways : one proposes to deter- 
mine kernels with a degree of qualification and the other presents a fuzzy 
kernel where every element of the support belongs to the rational choice 
set with a membership degree. Links between the two approaches is em- 
phasized. We exploit these results in Multiple-attribute Decision Aid to 
determine the good and bad choices. All the results are valid if the valued 
preference relations are evaluated on a finite ordinal scale. 



1 Introduction 

We consider a pair wise comparison multiple-attribute decision making proce- 
dure that assigns to each ordered pair (x,y),x,y £ A (the set of alternatives) 
a global degree of preference R(x, y). R(x, y) represents the degree to which x is 
weakly preferred to y. 

We suppose that R(x , y) belongs to a finite set L : {co, Ci, . . . , c m , . . . , C 2 m } 
that constitutes a (2m + l)-element chain {co, Ci, . . . , C 2 m }• R(x, y) may be un- 
derstood as the level of credibility that “a is at least as good as 6” . The set L is 
built using the values of R taking into consideration an antitone unary contra- 
diction operator -i such that -> Cj = C( 2m -i) for i = 0, . . . , 2m. 

If R(x,y ) is one of the elements of L , then automatically ~^R(x,y) belongs 
to L. We call such a relation an L-valuecl binary relation. 

We denote L ym : {c m+ i, . . . , c 2m } and L^ m : {c 0 , . . . , c m _ i} . 

If R(x,y) £ L ym , we say that the proposition “(x,y) £ R” is L-true. If 
however R(x,y) £ we say that the proposition is L-false. If R(x,y) = c m , 
the median level (a fix point of the negation operator) then the proposition 
“(x,y) £ R” is L-undetermined. If R(a,b) = c r and R(c 7 d) = c s ,c r < c s , it 
means that the proposition “a is at least as good as 6” is less credible than “c is 
at least as good as d”. 

In the classical case where R is a crisp binary relation (m = 2, and R(x,y) 
is never rated c\\ R(x,y) = c 2 = 1 is denoted xRy and R(x,y) = cq = 0 
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corresponds to ~>xRy , we define a digraph G{A, R) with vertex set A and arc 
family R. A choice in G(A, R) is a non empty set Y of A. 

R can be represented by a Boolean matrix and the choice Y can be defined 
with the use of a subset characteristic row vector Y(.) = (. . . , Y(x ) , . . . , Y(y ) , . . .) 
where 

,,, f 1 if x £ Y , .. . 

Y(x) = < „ , , . for all x € A. 

[0 otherwise, 

The subset characteristic vector of the successors of the elements of the vertex 
set Y : {x £ A \ 3 y € Y, yRx } is denoted Y o R and is obtained using the Boolean 
composition 

{Y o R)(x) = V y¥;x (Y(y) AR(y,x)) (1) 

where V and A represent respectively “disjunction” and “conjunction” for the 2- 
element Boolean lattice B = {0,1}. 

The choice Y should satisfy some of the following rationality axioms (Y 
represents the complement of Y in A) : 

• Inaccessibility ofY (or GOCHA rule, cf. [5] , [10]) 

Vy € Y, Vx € Y, -• xRy 

Y o R C Y, “the successors of Y are inside Y” . 

• Stability ofY (see [9], [11]) 

\/y € Y, Vx £ Y, -i yRx 

Y o R C Y, “the successors of Y are inside Y”. 

• Dominance ofY (or external stability, see [9], [11]) 

\/x € Y, 3 y £ Y, yRx 

Y C Y o i?, “the successors of Y contain Y”. 

• Strong dominance ofY (or GETCHA rule, cf. [5], [10]) 

Vy € Y, Yx £ Y, = ~^yR d x 

(R d is the dual relation, i.e. the transpose of the complement of R) 

Y o R d C Y. 

The maximal set of all non-dominated alternatives (inaccessibility and sta- 
bility are satisfied) is called the core of Y and the internally and externally 
stable set corresponds to the kernel. The GETCHA set is such that the strong 
dominance rule applies. 

No specific property like acyclicity or antisymmetry will be assumed in the se- 
quel. The core guarantees a rather small choice but is often empty. The GETCHA 
set corresponds to a rather large set and, in this general framework, the kernel 
(see [5], [8]) seems to be the best compromise. However its existence or unique- 
ness cannot be guaranteed. . It has been mentioned in [5] that for random graphs 
- with probability .5 - a kernel almost certainly exists and that in a Moon-Moser 
graph with n nodes the number of kernels is around 3™/ 3 . 

In order to illustrate all these concepts, we consider a small example. 



Choice Procedures in Pairwise Comparison Decision Making Methods 



3 



Table 1. Boolean matrix R and scores 

S(+) 



3 
7 
6 
6 

5 

6 
6 

4 



S(-) 37776256 



R 


a 


b 


C 


d 


e 


/ 


9 


h 


a 




1 


i 


i 


0 


0 


0 


0 


b 


i 




i 


i 


1 


1 


1 


1 


c 


i 


1 




i 


1 


0 


1 


1 


d 


i 


1 


i 




1 


0 


1 


1 


e 


0 


1 


i 


i 




0 


1 


1 


f 


0 


1 


i 


i 


1 




1 


1 


9 


0 


1 


i 


i 


1 


1 




1 


h 


0 


1 


i 


i 


1 


0 


0 





Example 1. Consider the following example A : {a,b,c,d,e,f,g,h} with 8 
alternatives. The Boolean matrix R together with the outgoing and ingoing 
scores S'(+) and S(— ) are presented in Table 1. 

Core (non dominated elements) : empty set. 

Kernels (maximal stable and minimal dominant sets) : {6}, {a, /}, {a, g}. 
Minimal GETCHA sets : {b},{a,e, f,g,h}. 

We may define generalizations of the previous crisp concepts in the valued 
case in two different ways : 

(i) Starting from the definition of a rational choice in terms of logical predicates, 
one might consider that every subset of A is a rational choice with a given 
qualification and determine those sets with a sufficient degree of qualification. 

(ii) One might also extend the algebraic definition of a rational choice. In that 
case, there is a need to define proper extensions of composition law o and 
inclusion C. 

Solutions that correspond to this approach give a fuzzy rational set Y , each 
element of A belonging to A to a certain degree (membership function) . 

It should be interesting to stress the correspondence between these two ap- 
proaches. The choice of the operators is closely related to the type of scale that 
is used to quantify the valued binary relation R : i.e. an ordinal scale. 



2 Qualification of Crisp Kernels 
in the Valued Ordinal Context 



We now denote G L = G L (A, R) a digraph with vertices set A and a valued arc 
family that corresponds to the L-valued binary relation R . This graph is often 
called outranking graph in the context of multi-attribute decision making. 

We define the level of stability qualification of subset Y of X as 



A sta (Y) 



C 2 m if Y is a singleton, 

min min {-<R(x,y)} otherwise 

y^x Xjty 
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Table 2. Outranking relation related to eight cars 



R 


a 


b 


c 


d 


e 


/ 


9 


h 


a 


i 


.75 


.70 


.62 


0 


0 


0 


0 


b 


.76 


1 


.90 


.82 


.82 


.82 


.82 


.80 


c 


.70 


.86 


1 


1 


1 


.46 


.80 


.91 


d 


.64 


.65 


.94 


1 


.88 


.22 


.94 


.74 


e 


.33 


.57 


.93 


1 


1 


0 


.80 


.86 


f 


0 


.73 


.64 


.92 


.76 


1 


.96 


.80 


9 


0 


.63 


.73 


.85 


.82 


.70 


1 


.81 


h 


0 


.60 


.64 


.60 


.77 


0 


0 


1 



and the level of dominance qualification of Y as 



^dom^y'j 



C2m if Y = A, 

min max R(y,x) otherwise. 

x$Y yeY 



Y is considered to be an L-good choice, i.e L-stable and L-dominant, if 
A sta (Y) G V~ m and A dom (Y ) G L ym . Its qualification corresponds to 

Qs° od (L) =mm(A sta (Y),A dom (Y)) G L ym . 

We denote C 9 ° od (G L ) the possibly empty set of L-good choices in G L . 

The determination of this set is an NP-complete problem even if, following 
a result of Kitainik [5] , we do not have to enumerate the elements of the power 
set of A but only have to consider the kernels of the corresponding crisp strict 
median-level cut relation R ym associated to R , i.e. (x, y) G R ym if R(x, y) G 
L ym . 

As the kernel in G(X, R ym ) is by definition a stable and dominant crisp 
subset of A, we consider the possibly empty set of kernels of G ym = G(A, R ym ) 
which we denote c 9 ° od (G yrn ). 

Kitainik proved that 



Qgood (jgood 



The determination of crisp kernels has been extensively described in the 
literature (see, for example [9]) and the definition of C 9 ° od {G L ) is reduced to 
the enumeration of the elements of C 9 ° od (G > ~ rn ) and the calculation of their 
qualification. 



Example 2. We now consider the comparison of 8 cars (a, b , c, d, e, /, g) on the 
basis of maximum speed, volume, price and consumption. Data and aggregation 
procedure will not be presented here (for more details, see [2]). The related 
outranking relation is presented in Table 2. 

We will consider only the ordinal content of that outranking relation and we 
transpose the data on a L-scale with cq = 0, C 2 m = 1, m = 27 and c m = .5. 
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The strict median-cut relation R ym corresponds to data of Table 1. The 
set C 90od (G ym ) corresponds to ({6}, {a, /}, {a, g}) with the following qualifica- 
tions : 

Q 9 ° od m) = .76, Q 9 °° d ({a, /}) = Q 9 °° d ({a , g}) = .70. 

3 Fuzzy Kernels 

A second approach to the problem of determining a good choice is to consider 
the valued extension of the Boolean system of equations (1). 

If Y(.) = (. . . ,Y(x),Y(y), . . .), where Y(x) belongs to L for every x £ A is 
the characteristic vector of a fuzzy choice and indicates the credibility level of 
the assertion that “x is part of the choice Y” , we have to solve the following 
system of equations : 

(Y o R)(x) = max[min(Y(y), R(y, x))] = -Y{x), Vx,y £ A. (2) 

y^x 

The set of solutions to the system of equations (2) is called Y dom {G L ). 

In order to compare these fuzzy solutions to the solutions in C 9 ° od (G L ), we 
define the crisp choice 

K- CA h if Y(x)€L^ ( ) 

Y \ x Ky otherwise 

and we consider a partial order on the elements of Y dom (G L ) : Y is sharper than 
Y', noted Y' A Y, iff Vx £ A : either Y(x) < Y'(x) < c m , either c m < Y'(x) < 
Y(x). 

The subset of the sharpest solutions in Y dom (G L ) is called F dom (G L ). 
Bisdorff and Roubens have proved that the set of crisp choices constructed 
from F dom (G L ) using (3) and denoted K(F dom (G L )) coincides with C dom (G L ). 
Coming back to Example 2, we obtain 3 sharpest solutions to equation (2) 

Y {b} = (.24, .76, .24, .24, .24, .24, .24, .24) 

Y {aJ} = (.70, .30, .30, .30, .30, .70, .30, .30) 
y {a ,g} = (.70, .30, .30, .30, .30, .30, .30, .70). 

In this particular case, we obtain only Q 9 ° od and Q 9 ° od as components of 
the Y’s but this is not true in general. 

4 Good and Bad Choices 

in Multi-attribute Decision Making 

In the framework of decision making procedures, it is often interesting to deter- 
mine choice sets that correspond to bad choices. These bad choices should be 
ideally different from the good choices. To clarify this point, let us first consider 
the crisp Boolean case and define the rationality axiom of 
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• Absorbance of Y (see [10]) 

\/x G Y, 3 y £ Y, xRy = yR t x 
Y C YoR\ “the predecessors of Y contain Y" . 

As the stability property can be rewritten as Y o R} C Y, we immediately 
obtain the Boolean equation that determines the absorbent kernel (stable and 
absorbent choice) : 

Y =YoR t . 

We notice that for some digraphs (dominant) kernels and absorbent kernels 
may coincide (consider a digraph G(A,R) with vertices A : { a,b,c,d } and four 
arcs (a, b), (b, c), (c, d), (d, a), {a, c} as well as { b , d} are dominant and absorbent 
kernels or good and bad choices). 

This last concept can be easily extended in the valued case. Consider the 
valued graph G L introduced in Section 2. We define the level of absorbance 
qualification of Y as 



A abs (Y) 



C2m if Y — A, 

min max R(x, y) otherwise. 

x$Y y eY 



The qualification of Y being a bad choice corresponds to 

Q bad (Y) = mm(A sta (Y),A abs (Y)) > c m . 

If Q bad {Y) < c m , Y is not considered to be a bad choice. 

A fuzzy absorbent kernel is a solution of equation 

(F o R t )(x) = max min (Y (y) , R l (y , x)) = ~Y(x), Vx £ A. 

y^x 



( 4 ) 



The set of solutions of equations (4) denoted Y abs (G L ) can be handled in the 
same way as done in Section 3 for Y dom (G L ) and creates a link between these 
solutions (4) and subsets of Y being qualified as bad choices. 

Reconsidering Example 2, we observe that {6}, {c}, {d}, {a, e} and {a, h} are 
absorbent kernels in G(A, R ym ). Qualification can be easily obtained and we 
get Q bad ({a,c}) = .76, Q bad ({a, h}) = .74, Q bad ({c}) = .64, Q bad ({d}) = .60, 
Q bad ({b}) = .57. 

We finally decide to keep car b as the best solution noticing however that it 
is a bad choice. Going back to digraph G{A, R yrn ), we see that b is at the same 
time dominating and dominated by all the other elements. Car b is indifferent to 
all the other cars which is not true for a, c, d, e , /, g, h , since indifference is not 
transitive in this example. 
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Abstract. Matrices over a Kleene algebra with tests themselves form 
a Kleene algebra. The matrices whose entries are tests form an algebra 
of relations if the converse of a matrix is defined as its transpose. Ab- 
stracting from this concrete setting yields the concept of Kleene algebra 
with relations. 



1 Introduction 

It is well known [4, 13] that matrices over a Kleene algebra (KA in the sequel), 
i.e., matrices whose entries belong to a KA, again form a KA (a heterogeneous 
KA if matrices with different sizes are allowed). Such matrices can be used 
to represent automata or programs by suitably choosing the underlying KA 
(algebra of languages, algebra of relations, . . . ) . Every KA has an element 0 (e.g. , 
the empty language, the empty relation) and an element 1 (e.g., the language 
containing only the empty sequence, the identity relation). Now, matrices filled 
with 0’s and l’s are again matrices over the given KA, but, in addition, they 
are relations satisfying the usual properties of relations. Hence, the set ofnxn 
matrices over a given KA is a KA with relations. 

Using this simple remark, we abstract from the concrete world of matrices 
and define the concept of KA with relations. We also give examples showing the 
interest of the concept. 

In Sect. 2, we give the definition of Kleene algebra. In Sect. 3, we intro- 
duce matrices over a KA and describe how the concept of KA with relations 
may arise. Section 4 defines abstract KAs with relations and gives examples. 
Section 5 briefly discusses additional axioms and representability. Section 6 is 
a short section on projections, direct products and unsharpness in KAs with 
relations. 

2 Kleene Algebra 

There are some variants of KA around [4, 6, 13, 14]. We use Kozen’s first-order 
axiomatization [14], because this is the least constraining one and it can be used 
as a basis for the other definitions. 

* This research is supported by NSERC (Natural Sciences and Engineering Research 
Council of Canada). 
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Definition 1. A Kleene algebra is a structure K. = (K,+, ■ ,*,0,1) such that 
(if, +,0) is a commutative monoid, (if, • , 1) is a monoid, and the following laws 
hold: 



a + a = a, 
a-0 = 0-a = 0, 
1 + a ■ a* = a*, 
1 + a* ■ a = a * , 



a • (a + b) = a- a + a-b, 

(a + b) -c = a-c + b-c , 
b + a- c < c => a* ■ b < c, 
b + c-a < c => b ■ a* < c, 



where < is the partial order induced by +, that is, 



a <b ^ a + b — b . 



A KA is Boolean if there is a complementation operation ~ such that (if, +, - , 0) 
is a Boolean lattice. The meet n of this lattice satisfies a n c = a + c and there 
is a top element T = 0. 

A Kleene algebra with tests [If] is a two-sorted algebra (if, T,+, -,*,0,1, ->) 
such that (if, +, • ,*,0,1) is a Kleene algebra and (T, +, • , — >, 0, 1) is a Boolean 
algebra, where T C if and -> is a unary operator defined only on T . 

Operator precedence, from lowest to highest, is (+, n), ( • ), ( - , *, ->). 

It is immediate from the definition that t < 1 for any test t £ T . The meet 
of two tests t, u £ T is their product t-u. Note that every KA can be made into 
a KA with tests, by taking {0, 1} as the set of tests. 

Models of KAs include the following: 

1. Algebras of languages: (2 s , U, •, *, 0, {e}), where E is an alphabet, E* is the 
set of all finite sequences over E, • denotes concatenation, extended pointwise 
from sequences to sets of sequences, * is the union of iterated concatenations, 
and e is the empty sequence. The unique set of tests is {0, {e}}. 

2. Algebras of path sets in a directed graph [20]: ( 2 s *, U, X, *, 0, i?U{e}), where 
if is a set of labels (of vertices) and X denotes concatenation, extended 
pointwise from paths to sets of paths. Path concatenation is defined as e X 
e = e, sa X at = sat, for all a £ E and all paths s,t, and is undefined 
otherwise. The * operator is again the union of iterated concatenations. The 
largest possible set of tests is 2 Su ^- e \ i.e., the set of all subidentities. 

3. Algebras of relations over a set S: (2 SxS , U, ;, *, 0, /), where ; is relational 
composition, * is reflexive-transitive closure and I is the identity relation. 
The largest possible set of tests is 2 7 , i.e., the set of all subidentities. 

4. Abstract relation algebras with transitive closure [21, 22]: (A, +,;, _ , ”,*,!), 
where the listed operations are join, composition, complementation, con- 
verse, transitive closure and identity relation, in this order. The largest pos- 
sible set of tests is the set of all subidentities (relations below I). 



3 Matrices Over a Kleene Algebra 

A (finite) matrix over a KA ( K , +, • , *, 0, 1) is a function 
A-mn :{!,•••, m} x {1, . . . , n} — > K , 

where m,n &N. When no confusion arises, we simply write A instead of A mn . 
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We use the following notation for matrices. 

0 : matrix whose entries are all 0, i.e. , 0[i, j\ = 0, 

1 : identity matrix (square), i.e., 1 [i,j] = 

T : matrix whose entries are all T, i.e., = T 

(if K has a greatest element T). 



f 1 if i = j 
\0 if i^j 



The sum A + B , product A ■ B and comparison A < B are defined in the 
standard fashion, provided that the usual constraints on the size of matrices 
hold: 



(A + B) [z, j] = A[i,j] + B[i,j], 

(A-B)M * £(fc|:A[;,fc].B[M), M 

A < B n A + B = B ^ 



The Kleene star of a square matrix is defined recursively. If A = ( a ) , for 
some a € K, then A* = ( a * ). If 



a b 
c d 



A = 

for some a, b,c,d£ K , then 



a d 

(with graphic representation 



), 



» * - ( r r-b-d* \ 

\d*-c-f* d* + d* -c- f* -b-d* ) ’ 



(2) 



where f = a + b-d* • c; the automaton corresponding to A helps understand 
that / corresponds to paths from state 1 to state 1. If A is a larger matrix, it is 

decomposed as a 2 x 2 matrix of submatrices A = ^ ^ E ) ’ w ^ ere ® an< ^ ® 

are square. Then A* is calculated recursively using (2). 

Let A d(/C, m, n) be the set of matrices of size mx n over a KA 1C. Using the 
operations defined above, it can be shown that for all n, 



(Ad (/C, 7T., Ti) , T , * , ,0 nn ,l nn ) 

is a KA. See [13] for the details. By setting up an appropriate type discipline, 
one can define heterogeneous Kleene algebras as is done for heterogeneous re- 
lation algebras [15, 24]. The set of matrices Ad(/C,m, n), for m,n £ N, is such 
a heterogeneous KA. 

Now assume a KA with tests (K, T, +, • , * , 0, 1 , — >) is given. We call matrix 
relations ( relations for short) those matrices R whose entries are tests, i.e., 
R[*, j] £ T for all i,j. Let Q and R be relations. We define the (relational) 
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converse, meet, top and complementation operations as follows: 

(Q“)M = QM 
(QnR)[i,i] = Q[*, j] 

J [i,j] = l 

Q T M = -QM 

Again, note that these definitions also apply to nonsquare matrices. In par- 
ticular, there is a relational top 1 T mn for every m,n. 

A (square) matrix T is a test if T < 1. For instance, if ti , ^ 2 , ^3 are tests, 

fh o o \ /(i o o\ / -.ti o o \ 

I 0 t 2 0 J is a test and — > ( 0 t 2 0 J = | 0 ~^t 2 0 J . 

\00t 3 / \0 0 t 3 J V° 0 ^t 3 J 

Let AilZ()C,n,n) be the set of (matrix) relations of size n x n over the KA 
with tests /C = ( K , T, +, • , *, 0, 1, ->). It is straightforward to verify that 

(MTZ(IC, n, n), +, n, , • , II nre ) 

is a relation algebra [2, 23, 25]. In particular, it satisfies the Dedekind rule 

P Q n R < (R-Q~n P)'(P“-Rn Q) 

and the Schroder equivalences 

P QnR < 0 o P“RnQ<0 o RQnP<0 . 

We say that M(K,,n,n) is a KA with relations MlZ(K,,n,n). 

In A !(/C,n,n), more general variants of the above laws hold: for arbitrary 
matrices A and B and an arbitrary relation R, 

(a) R A n B < R- (R“-B n A) , 

(b) A-RFlB < (B-R”nA)-R , , , 

(c) R A n B < 0 R“-BnA<0 , ^ ^ 

(d) A RHB<0 O B-R“HA<0 . 

We show only part (a). The proof of (b) is similar to that of (a) and (c,d) 
easily follow from (a,b). 

(R'An B) [*,_?'] 

= (R-A)[i,j] n B [i,j] 

= E( fc l : R-[*, fc] - A[fe, j]) n B [i,j] 

= ( k is not free in “B[i, j]” ) 

E(fc |: R[i, k]-A[k, j) n B [i,j]) 

= ( R[i, k] is a test because R is a matrix relation & 

In a Boolean KA, for any test t, t ■ a fl b = t ■ (a fl t ■ b) [6] ) 



converse (which is the transpose), 
meet, 

relational top, 
relational complement. 



( 3 ) 
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E( fc |: R[i,k)-(A[k,j] n R[i, k] -B[i, j]) 

= E( fc l : R[i,k)-(M k d] n R-~[M]'B[*, j]) 

< E (fc I: R[*,fc]-(A[fc,j] n E (l I: R“[fc,Z]-B[Z,j])) 

= J2ik\:R[i,k]-(A[k,j\ n (R“-B)[fc, j])) 

= E(fe|:R[*.*]-(A n R“.B)[M) 

= (R-(A n R~-B))M 
= (R (R“ B n A))[i,j] 

4 Kleene Algebra with Relations 

We are now ready to abstract from the concrete setting of matrices and define 
the concept of Kleene algebra with relations. 

Definition 2. A Kleene algebra with relations (KAR) is a two-sorted algebra 

(K, R, +, • ,*,0,1,11, “EAT) 

such that 

(K,+, ■ ,*,0,1) 

is a Kleene algebra and 

{R,+, n, • , -ir ,“,o,i,T) 

is a relation algebra, where R C K , n is a binary operator defined at least on R, 
" is a unary operator defined at least on R, -lr is a unary operator defined only 
on R, and T G K. 

In the sequel, we let a, 6, c, . . . stand for elements of K , and p , q , r, <f>, 7r, a 
stand for elements of R. 

Note that in a Boolean KAR, r T = f n T. 

The relation algebra of a KAR inherits the Kleene star operation from the 
KA and is thus a relation algebra with transitive closure [21]. Using the axioms 
of a KA (Definition 1), one can prove that r*” = r”* (see [21]). 

Let a KAR ( K , R, +, • , *, 0, 1, n, _lr , “ , T) be given. We now present exam- 
ples of “interactions” between relations in R and arbitrary elements in K. 

We recall that a relation r £ R is functional (or deterministic , or univalent ) 
iff r“-r < 1 (equivalently, r-1 < r) [2, 23]. It is total iff 1 < r-r” (equivalently, 
r-T = T). A mapping is a total functional relation. A mapping r is bijective iff 
r“ is also a mapping. 

In a relational setting, functional relations satisfy additional laws, such as left- 
distributivity over meets. We have a similar situation here for Boolean KARs. 



Proposition 1. Let ( K,R ,+ , • ,*,0,1, 11, T ,”,T) be a Boolean KAR. Then, 
for all a,b £ K and r £ R, 
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1 . r functional => r- (a r\b) = r -a llr- b, 

2. r functional => r-a< r-a, 

3. r total => r-a < r-a. 

Proof. 1. Assume r“-r < 1. 
r- (a n b) 

< ( Monotonicity of composition ) 
r-a n r-b 

= ( For any relation r, r = (1 n r -r") -r [23] ) 

(lnr-r")-r-a n (lnr-r“)-r-6 

= ( In a Boolean KA, t<l==>t-(anb) = t-ant-b [6]} 

(1 n r -r") -(r-a n r-b) 

< ( Monotonicity of composition ) 
r ■ r“- (r • a n r-b) 

< ( Monotonicity of composition ) 
r- ( r~-r-a n r^-r-b) 

< ( Hypothesis r” • r < 1 and monotonicity of composition } 
r • {a n b) 

2. It is shown in [ ] that V(a, b |: c- (a n b) = c- a n c-b) and V(a |: c-a < c-a) 
are equivalent even when c is an arbitrary element of I\ . Thus the result 
follows from item 1. 

3. Assume r- T = T. 



r -a < r -a 

<t=> ( Shunting } 

T < r-a + r-a 

( Distributivity ) 

T < r -(a + a) 

<t=> ( Boolean law ) 

T < r-T 

( T • T = T (follows from 1 < T ) ) 

T < r-T-T 

<t=> ( Hypothesis r-T = T } 

T < T ■ T — This holds, since T ■ T = T 

□ 

The result in Proposition 1(1) is quite interesting. The constraint that r is 
functional can be written as r • 1 < r . This expression does not involve converse 
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and can thus be used to define what it means for any element a £ K to be 
deterministic in a certain sense (a-1 < a). It is shown in [6] that this condition 
is not sufficient to ensure left distributivity of a over meets. Thus, relations are 
special. 

A relation </> is a homomorphism from a to b iff <f> is a mapping and </>” • a ■ </> < 
b. A relation (f> is an isomorphism between a and & iff 0 is a homomorphism from a 
to b and <fr is a homomorphism from b to a, which is equivalent to saying that <f> 
is a bijective mapping and (fr-a -<p = b. It is easy to see that if ^ is a mapping, 

<\T ■ a ■ (f> < b a ■ (f) < (f>-b O- a < cf>-b-(fr 4=> cjr -a <&•</>“. 

And if (f) is a bijective mapping, then 



(jT ■ a ■ (f> = b a ■ 4> = (j)-b a = <fi •&•</>” 4=> ({T -a = b-(fT . 



Thus, the formulae are as in a pure relational setting [23], but apply to a wider 
range of models. Note, e.g., that matrices over a KA can be used to represent the 
transition structure of automata [4, 13] or, more generally, transition systems 
with relations labeling the transitions. For instance, 

b 



and 




is represented by 




0 0a 

is represented by | 0 0 d 
0 c b 



/I 


0 


°\ 


0 


a 


0 


0 


1 


is an isomorphism between 0 


b 


Vo 


1 


0 


Vo 


d 



0\ /0 0 a \ 

c J and lOO d J 

0/ \0 c b J 



Hence we have a means to describe homomorphisms and isomorphisms between 
structures within the same calculus of Kleene algebra that is used to describe 
the structures, rather than by external functions. 

Other relationships that can be described within the calculus are those of 
simulation and bisimulation [8, 19]. We say that a relation a is a bisimulation 
between a and b iff 

<t“ • a <b-<j~ and a-b < a -a (5) 



(the diagram 



b 



a 



a 



shows how the elements are connected). 



a 

Note that this is a standard definition of bisimulation when a, b and a are 
relations [7, 8]. The interest here is that it applies to a more general setting. 
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Since the join of bisimulations is again a bisimulation, there is a largest 
bisimulation (assuming that arbitrary sums exist in the underlying KA). For 
instance, consider the following matrices and the graphs (trees) associated to A 
and B. 



/0 a 0 0\ 

[ 0 0 be I 

0 0 0 0 

Vo 0 0 0/ 



B = 



/° 

0 

0 

0 

Vo 



a 

0 

0 

0 

0 



a 

0 

0 

0 

0 



0 0\ 
b 0 
0 c 
0 0 
0 0 / 



/0 0 0 0 0 \ 

0 0 0 0 0 I 

0 0 0 1 1 I 

Vo 0 0 1 1/ 





It is a simple task to check that 0 and S are bisimulations, no matter what 
the interpretation of a, b , c is. For instance, if the entries of the matrices come 
from an algebra of languages over an alphabet {a, b, c}, we could have 

a := {a}, b := {b}, c := {c} . 

In this case, S is the largest bisimulation. It shows that the leaves of the trees are 
bisimilar and that the roots are not (this is the prototypical example of systems 
that are not bisimilar [18, 19], because S [1 , 1] = 0). 

In an algebra of paths, matrix S is still a bisimulation, but it might be 
possible to find a larger one, because the set of tests is richer than for languages. 
For instance, with the alphabet {a, b, c, d, e, f } , and the interpretation 

a := {ab,abc,bd}, b := {bc,de}, c := {cd, df} , 

one finds that 

/{e,c,d,e,f} 0 0 0 0\ 

I 0 {e, a, b, e,f} {e, a, c, e, f} 0 0 1 

I 0 0 0 111 

Vo 0 011/ 

is the largest bisimulation. 

We now make additional assumptions that will allow us to show how a largest 
bisimulation can be extracted from (5). 
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1. We assume a Boolean KAR. 

2. We assume (4c), which holds in an algebra of matrices over a Boolean KA 
with tests, in the form 

r -a < b r” • 6 < a , 

where r is a relation and a,b g K (this does not hold in arbitrary KARs, as 
shown below). This allows us to rewrite (5) as 

cr-b-cr' < a and a -b < a • a . (6) 

3. We assume a complete KAR. This ensures that a left residual operator / can 
be defined by the Galois connection a-b < c <t=> a < c/b [1]. We can thus 
rewrite (6) as 

<r<a/b-a~ and a<(a-a)/b , 

from which we get 

<j < a/b-o “ n ( a-cr)/b . 

The function /(<r) = a/&-o~ n ( a-a)/b is monotonic. Due to completeness, 
a largest solution for a exists. However, it need not be a relation. 

4. We assume that for any a £ K, allT £ R (i.e., allT is a relation). With this 
assumption, we get the largest relation that is a bisimulation as the largest 
solution of 

a < a/6-u“ n (a-cr)/6 n T . 

5 Additional Axioms and Representability 

The treatment of bisimulations in the previous section required the introduction 
of axioms in addition to those provided by Definition 2. So, the question arises 
as to what is the most suitable set of axioms for Kleene algebra with relations. 
With a specific intended model in mind, one can be guided in this choice. Here, 
however, the starting point is that of matrices over arbitrary KAs, and various 
KAs can be useful, depending on the context. For instance, when describing 
programs as transition systems using matrices over a KA, the desired degree of 
precision dictates the type of the underlying KA. If high precision is required, 
the entries of the matrices are chosen to be relations on the set of states of 
the program. If a more abstract view is desired, the entries of the matrices can 
be simple labels naming actions done by the program and the KA is that of 
languages over these labels. 

For many applications in Computer Science, matrices over a Boolean KA are 
needed (this is the case for the two examples in the previous paragraph). As 
already noted, these satisfy a form of Schroder equivalences (see (4) above), so 
that it becomes natural to require 

r-a n 6 < 0 r~-br\ a <0 and a -r n b < 0 <t=> 6-r” n a < 0 (7) 

for Boolean KAR. These equivalences do not follow from the definition of a KAR 
(Definition 2), even when it is Boolean. This is shown by the following example, 
due to Peter Jipsen. 
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Let the sets of atoms of K and R be {1, r, a} and {1, r} , respectively. Compo- 
sition on the atoms of K is defined by the following table. Note that T = 1 + r 
and T = l + r + a = T + a. 





1 r a 


1 


1 r a 


r 


r T T 


a 


a T T 



Composition on K and R is obtained by distributivity using this table. The 
converse operation on R is given by x“ = x , and the Kleene star on K is defined 
by 0* = 1 and x* = x 2 for x ^ 0. One can check that with these operations, R 
is a relation algebra and K is a Boolean KAR. Now, 



r“-rna = r- rna = Tna<0 , 



but 

r-anr=Tnr=r^0 . 

Note the following consequence of (7): 

T-TnT <0 T“-TnT<0 <b> TnT<0 <b> true . 

The expression T-T n T is the relational part of the composition T-T. The 
above result means that the composition of a relation with an element that 
contains no relational part does not contain any (nonzero) relational part. This 
is violated in Jipsen’s example, since r-a = T = T + a. 

The determination of the intended model is also important in connection 
with questions about representability, where the goal is to determine whether 
any algebra satisfying a given set of axioms is isomorphic to a concrete instance 
of the intended model. As indicated at the beginning of this section, there is no 
single concrete intended model, since many models may be useful. However, let 
us say that a KAR (K,R,+, • ,*,0,l,n,~ ,“,T) is representable relatively to 
a given KA with tests ( K',T ,+ , • ,*,0,1, — >) iff 

1. ( K , +, - ,*,0,1) is isomorphic to the set of square matrices of a fixed (finite 
or infinite 1 ) cardinality over K' with the corresponding Kleene operations, 
and 

2. (R, +, n, • , -lr , “ , 0, 1, T) is isomorphic to the subset of these matrices that 
are matrices over T with the corresponding relational operations. 

One can then investigate whether a given set of axioms ensures relative rep- 
resentability with respect to a given KA with tests; this is a topic for future 
research. 

1 Dealing with infinite matrices is outside the scope of this paper, but this can be done 

under suitable restrictions (see [16]). 
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6 Projections and Unsharpness 

Projections constitute another example of the use of relations inside a KA. We 
again assume that the KA is Boolean. 

Definition 3. A pair of relations (7Ti,7r 2 ) Is called a direct product iff 

7r“-7Ti = l, 7T2-7T2 = 1, 7Tl n 7T2-7T2 = 1, 7R-7r 2 = T. 

The product of a\ and a 2 is a± x a 2 = 7Ti ■ ai • Tff n 7r 2 • a 2 ■ iff . The relations 7Ti 
and 7 r 2 are called projections. 

This is the standard definition of projections in a heterogenous setting [23]. 
However, note that T need not be the largest element of the algebra, which 
is T. 

Consider the following matrices. 

0 0\ 

1 0 
0 1 
0 0 
1 0 
0 1/ 

The relations Pi and P 2 constitute a direct product. The product of Ai and A 2 
is easily calculated and corresponds to the synchronous product of the automata 
or transition systems represented by Ai and A 2 . 

bnf bn g \ 
bni bn j 
bnl bnn 
dn f d n g 
dm dn j 
dnl dnnJ 

With direct products in the picture, one naturally wonders what happens 
to the unsharpness problem [3] in this setting. The problem consists in deter- 
mining whether (qi-nf n <72 • * (tti * D n 7r 2 -r 2 ) = <71 -ri n g 2 -r 2 holds for all 

relations q lf q%, r 1; r 2 . It does hold for concrete algebras of relations, but it is 
shown in [17] that it does not in RA. The counterexample is rather complex. 
However, the special case (q\ x <72) • (ry x r 2 ) = q\-r\ x (7 2 -r 2 holds in RA 2 for 
all relations <71 , g 2 , r\ , r 2 [5] . 

With KAR, it is very simple to exhibit an example illustrating that even the 
special case (ai x a 2 ) • (61 x 6 2 ) = a\ ■ b\ x a 2 • 6 2 does not hold. Consider a Boolean 
KAR K with {0,1} as set of relations (note that T = 1). Let 7Ti = 1 and 7r 2 = 1. 
Then (7 Ti, 7t 2 ) is a direct product. For arbitrary a,b,c £ K , we have 

(a x a ■b)-{b-c x c) = (a fl a • b) ■ (b ■ c fl c) , 



fane 


an f 


ang 


bn e 


an h 


ani 


anj 


bnh 


an k 


a n l 


a n n 


bnk 


c n e 


cnf 


eng 


dn e 


cnh 


cm 


enj 


dnh 


Vcnfc 


cnl 


cfln 


dnk 



Pi = 



f 1 






1 


0 




1 


0 




0 


1 


P 2 = 


0 


1 




Vo 


1 ) 





0 

0 

1 

0 

Vo 



A-| = 



a b 

c d 



A 2 = 




2 Composition ( • ) has precedence over x . 
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while 

a •( b-c ) x ( a-b)-c = a -b-c . 

It is easy to find concrete examples where (aria -b) ■ (b- die) =0 and a-b-cy^ 0. 

In [12], Kempf and Winter create unsharpness in a purely relational setting 
by requiring n^-ir 2 = L < T, where L is the greatest tabular relation instead 
of the T relation. This is analogous to the situation with KARs, where ■ 1 T 2 = 
T < T, so that need not be the T element. 



7 Conclusion 

This paper introduces the concept of Kleene algebra with relations, but only 
presents basic results and simple motivating applications. There is much more 
to do, both on the use of the concept for applications and on the development of 
the theory, in particular on the problem of relative representability. As a conclu- 
sion, we note that the idea of finding a relation algebra inside another structure 
is not new. In [10, 11], von Karger and Hoare introduce sequential algebras , which 
are Boolean KAs with additional laws, but not as constrained as relation alge- 
bras; in sequential algebras, a (possibly trivial) subset of the elements behave as 
relations. Although the approach and motivation are completely different from 
those presented here, it would be interesting to investigate their relationships, 
in particular with respect to results on representability [9] versus relative repre- 
sentability as defined in Sect. 5. 
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Abstract. We present Prioni, a tool that integrates model checking 
and theorem proving for relational reasoning. Prioni takes as input for- 
mulas written in Alloy, a declarative language based on relations. Prioni 
uses the Alloy Analyzer to check the validity of Alloy formulas for a given 
scope that bounds the universe of discourse. The Alloy Analyzer can re- 
fute a formula if a counterexample exists within the given scope, but 
cannot prove that the formula holds for all scopes. For proofs, Prioni 
uses Athena, a denotational proof language. Prioni translates Alloy for- 
mulas into Athena proof obligations and uses the Athena tool for proof 
discovery and checking. 



1 Introduction 

Prioni is a tool that integrates model checking and theorem proving for re- 
lational reasoning. Prioni takes as input formulas written in the Alloy lan- 
guage [7]. We chose Alloy because it is an increasingly popular notation for the 
calculus of relations. Alloy is a first-order, declarative language. It was initially 
developed for expressing and analyzing high-level designs of software systems. 
It has been successfully applied to several systems, exposing bugs in Microsoft 
COM [9] and a naming architecture for dynamic networks [10]. It has also been 
used for software testing [12], as a basis of an annotation language [11], and 
for checking code conformance [20]. Alloy is gaining popularity mainly for two 
reasons: it is based on relations, which makes it easy to write specifications 
about many systems; and properties of Alloy specifications can be automatically 
analyzed using the Alloy Analyzer (AA) [8]. 

Prioni leverages AA to model-check Alloy specifications. AA finds instances 
of Alloy specifications, i.e., assignments to relations in a specification that make 
the specification true. AA requires users to provide only a scope that bounds 
the universe of discourse. AA then automatically translates Alloy specifications 
into boolean satisfiability formulas and uses off-the-shelf SAT solvers to find 
satisfying assignments to the formulas. A satisfying assignment to a formula that 
expresses the negation of a property provides a counterexample that illustrates 
a violation of the property. AA is restricted to finite refutation: if AA does 
not find a counterexample within some scope, there is no guarantee that no 
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counterexample exists in a larger scope. Users can increase their confidence 
by re-running A A for a larger scope, as long as A A completes its checking in 
a reasonable amount of time. 

It is worth noting that a successful exploration of a finite scope may lead to 
a false sense of security. There is anecdotal evidence of experienced AA users who 
developed Alloy specifications, checked them for a certain scope, and believed the 
specifications to hold when in fact they were false. (In particular, this happened 
to the second author in his earlier work [10] .) In some cases, the fallacy is revealed 
when A A can handle a larger scope, due to advances in hardware, SAT solver 
technology, or translation of Alloy specifications. In some cases, the fallacy is 
revealed by a failed attempt to carefully argue the correctness of the specification, 
even if the goal is not to produce a formal proof of correctness. 

Prioni integrates AA with a theorem prover that enables the users to prove 
that their Alloy specifications hold for all scopes. Prioni uses Athena for proof 
representation, discovery, and checking. Athena is a type-w denotational proof 
language [2] for polymorphic multi-sorted first-order logic. We chose Athena for 
several reasons: 1) It uses a natural-deduction style of reasoning based on as- 
sumption bases that makes it easier to read and write proofs. 2) It offers a strong 
soundness guarantee. 3) It has a flexible polymorphic sort system with built-in 
support for structural induction. 4) It offers a high degree of automation through 
the use of methods , which are akin to the tactics and tacticals of HOL [5] and 
Isabelle [15]. In addition, Athena offers built-in automatic translations from its 
own notation to languages such as the TPTP standard [1], and can be seamlessly 
integrated with any automatic theorem prover that accepts inputs in such a lan- 
guage. The use of such provers allows one to skip many tedious steps, focusing 
instead on the interesting parts of the proof. In this example we used Otter [21]; 
more recently we have experimented with Vampire [17]. 

Prioni provides two key technologies that enable the effective use of Athena 
to prove Alloy specifications. First, Prioni provides an axiomatization of the 
calculus of relations in Athena and a library of commonly used lemmas for this 
calculus. Since this calculus is the foundation of Alloy, the axiomatization and 
the lemmas together eliminate much of the formalization burden that normally 
confronts users of theorem provers. Second, Prioni provides an automatic trans- 
lation from Alloy to the Athena relational calculus. This translation eliminates 
the coding effort and transcription errors that complicate the direct manual use 
of theorem provers. Finally, we note that since Athena has a formal semantics, 
the translation also gives a precise semantics to Alloy. 

Prioni supports the following usage scenario. The user starts from an Alloy 
specification, model-checks it and potentially changes it until it holds for as big 
a scope as AA can handle. After eliminating the most obvious errors in this 
manner, the user may proceed to prove the specification. This attempt may 
introduce new proof obligations, such as an inductive step. The user can then 
again use AA to model-check these new formulas to be proved. This way, model 
checking aids proof engineering. But proving can also help model checking. Even 
when the user cannot prove that the whole specification is correct, the user may 
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be able to prove that a part of it is. This can make the specification smaller, 
and AA can then check the new specification in a larger scope than the original 
specification. Machine-verifiable proofs of key properties greatly increase our 
trust in the reliability of the system. An additional benefit of having readable 
formal proofs lies in improved documentation: such proofs not only show that 
the desired properties hold, but also why they hold. 



2 Model Checking 



We next illustrate the use of our Prioni prototype on a recursive function that 
returns the set of all elements in a list. We establish that the result of the function 
is the same as a simple relational expression that uses transitive closure. The 
following Alloy specification introduces lists and the function of interest: 



module List 
sig Object O 
sig Node { 

next: option Node, // next is a~partial function from Node to Node 

data: Object } // data is a~total function from Node to Object 

det fun elms(n: Node): set Object { 
if (no n.next) then result = n.data 
else result = n.data + elms (n.next) } 
assert Equivalence { all n: Node I elms(n) = n.*next.data } 
check Equivalence for 5 



The declaration module names the specification. The keyword sig introduces 
a signature , i.e. , a set of indivisible atoms. Each signature can have field declara- 
tions that introduce relations. By default, fields are total functions; the modifiers 
option and set are used for partial functions and general relations, respectively. 

The keyword fun introduces an Alloy “ function ” , i.e., a parametrized formula 
that can be invoked elsewhere in the specification. In general, an Alloy function 
denotes a relation between its arguments and the result; the modifier det specifies 
an actual function. The function elms has one argument, n. Semantically, all 
variables in Alloy are relations (i.e., sets). Thus, n is not a scalar from the set 
Node; n is a singleton subset of Node. (A general subset is declared with set.) 
In the function body, result refers to the result of the function. The intended 
meaning of elms is to return the set of objects in all nodes reachable from n. 
The operator represents relational composition; n.next is the set of nodes 
that the relation next maps n to. Note that the recursive invocation type-checks 
even when this set is empty, because the type of n is essentially a set of Nodes. 

The keyword assert introduces an assertion , i.e., a formula to be checked. 
The prefix operator V denotes reflexive transitive closure. The expression 
n.*next denotes the set of all nodes reachable from n, and n.*next.data de- 
notes the set of objects in these nodes. Equivalence states that the result of 
elms is exactly the set of all those objects. The command check instructs AA 
to check this for the given scope , in this example for all lists with at most five 
nodes and five objects. AA produces a counterexample, where a list has a cycle. 
Operationally, elms would not terminate if there is a cycle reachable from its 
argument. In programming language semantics, the least fixed point is taken 
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as the meaning of a recursive function definition. Since Alloy is a declarative, 
relational language, AA instead considers all functions that satisfy the recursive 
definition of elms. 

We can rule out cyclic lists by adding to the above Alloy specification the fol- 
lowing: fact AllAcyclic { all n: Node I n ! in n.'next }. A fact is a formula 
that is assumed to hold, i.e. , AA checks if the assertion follows from the con- 
junction of all facts in the specification. AllAcyclic states that there is no node 
n reachable from itself, i.e., no node n is in the set n. “next; denotes transitive 
closure. We again use AA to check Equivalence, and this time AA produces no 
counterexample . 

3 Athena Overview 

Athena is a type-w denotational proof language [2] for polymorphic multi-sorted 
first-order logic. This section presents parts of Athena relevant to understanding 
the example. In Athena, an arbitrary universe of discourse (sort) is introduced 
with a domain declaration, for example: 

(domain Real) 

(domain Person) 

Function symbols and constants can then be declared on the domains, e.g.: 

(declare + (-> (Real Real) Real)) 

(declare joe Person) 

(declare pi Real) 

Relations are functions whose range is the predefined sort Boolean, e.g., 

(declare < (-> (Real Real) Boolean)) 

Domains can be polymorphic, e.g., 

(domain (Set-Of T)) 

and then function symbols declared on such domains can also be polymorphic: 

(declare insert C CT) -> (T (Set-Of T) ) (Set-Of T))) 

Note that in the declaration of a polymorphic symbol, the relevant sort parame- 
ters are listed within parentheses immediately before the arrow ->. The equality 
symbol = is a predefined relation symbol with sort ( (T) -> (T T) Boolean) . 
Inductively generated domains are introduced as structures , e.g., 

(structure Nat 
zero 

(succ Nat)) 

Here Nat is freely generated by the constructors zero and succ. This is equivalent 
to issuing the declarations (domain Nat), (declare zero Nat), (declare succ (-> 
(Nat) Nat)), and additionally postulating a number of axioms stating that Nat 
is freely generated by zero and succ. Those axioms along with an appropriate 
induction principle are automatically generated when the user defines the struc- 
ture. In this example, the induction principle will allow for proofs of statements 
of the form (Vn : Nat) P(n) by induction on the structure of the number n: 
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(by-induction-on n (P n) 

(zero Dl) 

((succ k) D2)) 

where Dl is a proof of (P zero) —the basis step — and D2 is a proof of (P (succ 
k) ) for some fresh variable k -the inductive step. The inductive step D2 is per- 
formed under the assumption that (P k) holds, which represents the inductive 
hypothesis. More precisely, D2 is evaluated in the assumption base (3 U {(Pk)}, 
where /3 is the assumption base in which the entire inductive proof is being 
evaluated; more on assumption bases below. 

Structures can also be polymorphic, e.g., 

(structure (List-Of T) 
nil 

(cons T (List-Of T))) 

and correspondingly polymorphic free-generation axioms and inductive princi- 
ples are automatically generated. 

The basic data values in Athena are terms and propositions. Terms are s- 
expressions built from declared function symbols such as + and pi, and from 
variables, written as ?/ for any identifier I. Thus ?x, (+ ?foo pi), (+ (+ ?x ?y) 
?z), are all terms. The (most general) sort of a term is inferred automatically; 
the user does not have to annotate variables with their sorts. A proposition P 
is either a term of sort Boolean (say, (< pi (+ ?x ?y))); or an expression of the 
form (not P) or (© P\ P 2 ) for 0 G {and, or, if , iff }; or (Q Xi ■ ■ ■ x n P) where 
Q G {forall, exists} and each Xi a variable. Athena also checks the sorts of 
propositions automatically using a Hindley-Milner-like type inference algorithm. 

The user interacts with Athena via a read-eval-print loop. Athena displays 
a prompt >, the user enters some input (either a phrase to be evaluated or a top- 
level directive such as define, assert, declare, etc.), Athena processes the user’s 
input, displays the result, and the loop starts anew. 

The most fundamental concept in Athena is the assumption base — a finite 
set of propositions that are assumed to hold, representing our “axiom set” or 
“knowledge base”. Athena starts out with the empty assumption base, which 
then gets incrementally augmented with the conclusions of the deductions that 
the user successfully evaluates at the top level of the read-eval-print loop. A 
proposition can also be explicitly added into the global assumption base with the 
top-level directive assert. (Note that in Athena the keyword assert introduces 
a formula that is supposed to hold, whereas in Alloy assert introduces a formula 
that is to be checked.) 

An Athena deduction D is always evaluated in a given assumption base [3. 
Evaluating D in f3 will either produce a proposition P (the “conclusion” of D in 
/?), or else it will generate an error or will diverge. If D does produce a conclu- 
sion P, Athena’s semantics guarantee (3 \= P, i.e., that P is a logical consequence 
of (3. There are several syntactic forms that can be used for deductions. 

The form pick-any introduces universal generalizations: 
(pick-any I\ ■ ■ ■ I n D ) binds the names I\ ■ ■ ■ I n to fresh variables v\,...,v n 
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and evaluates D. If D yields a conclusion P, the result returned by the entire 
pick-any is (Vvi, , V n ) P. 

The form assume introduces conditionals: to evaluate (assume P D ) in an 
assumption base /?, we evaluate D in /3 U {P}. If that produces a conclusion Q, 
the conditional P => Q is returned as the result of the entire assume. The form 
(assume-let ((/ P)) D ) works like assume, but also lexically binds the name I 
to the hypothesis P within D. 

The form (diet ((p D\) ■ ■ ■ (/„ D„)) D) is used for sequencing and nam- 
ing deductions. To evaluate such a deduction in (3 , we first evaluate D\ in (3 to 
obtain a conclusion Pi. We then bind p to Pi, insert Pi into /3, and continue 
with Ip- The conclusions Pi of the various P,; are thus incrementally added 
to the assumption base, becoming available as lemmas for subsequent use. The 
body D is then evaluated in (3 U {Pi, . . . , P„}, and its conclusion becomes the 
conclusion of the entire diet. 

Prioni starts by adding relational calculus axioms and already proved lem- 
mas to the empty assumption base. It then translates the Alloy specification 
and adds to the assumption base all translated constraints and definitions. Only 
the translated Alloy assertion is not added to the assumption base; rather, it 
constitutes the proof obligation. 

4 Axiomatization 

We next introduce certain key parts of our axiomatization of the calculus of 
relations in Athena. The axiomatization represents relations as sets of tuples in 
a typed first-order finite-set theory. Tuples of binary relations (i.e. , ordered pairs) 
are represented with the following polymorphic Athena structure: (structure 
(Pair-Of S T) (pair ST)). Prioni introduces similar structures for tuples of 
greater length as needed. 

Sets are polymorphic, their sort being given by a domain constructor: (domain 
(Set-Of S)), and with the membership relation in typed as follows: 

(declare in ( (S) -> (S (Set-Of S)) Boolean)) 

Set equality is captured by an extensionality axiom set-ext, and set operations 
are defined as usual. We also introduce a singleton- forming operator: 

(declare singleton ((T) -> (T) (Set-Of T))) 

(define singleton-def 

(forall ?x ?y (iff (in ?x (singleton ?y)) (= ?x ?y)))) 

Relation operations are defined set-theoretically, e.g.: 

(declare transpose ((T) -> ((Set-Of (Pair-Of T T))) (Set-Of (Pair-Of T T)))) 

(define transpose-def 

(forall ?R ?x ?y (iff (in (pair ?x ?y) (transpose ?R)) 

(in (pair ?y ?x) ?R)))) 

(define pow-def-1 
(forall ?R ?x ?y 
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(iff (in (tup [?x ?y] ) (pow ?R zero)) 

(= ?x ?y) ) ) ) 

(define pow-def-2 
(forall ?R ?k ?x ?y 

(iff (in (tup [?x ?y] ) (pow ?R (succ ?k))) 

(exists ?z 

(and (in [?x ?z] ?R) 

(in [?z ?y] (pow ?R ?k))))))) 

Alloy has one general composition operator ‘ . ’ that can be applied to two arbi- 
trary relations at least one of which has arity greater than one. Such a general 
operator could not be typed precisely in a Hindley-Milner-like type system such 
as that of Athena, and in any event, the general composition operator has a fairly 
involved definition that would unduly complicate theorem proving. So what our 
translation does instead is introduce a small number of specialized composition 
operators comp-n-m that compose relations of types Si x • • ■ x S n and Tf x • • ■ x T m , 
with S n = T\. Such operators are typed precisely and have straightforward def- 
initions; for instance: 



(declare comp-2-2 ((S T U) -> ((Set-Of (Palr-Of S T)) (Set-Qf (Palr-Qf T U))) 

(Set-Of (Palr-Qf S U)))) 

(forall ?R1 ?R2 ?x ?y 

(iff (in (pair ?x ?y) (comp-2-2 ?R1 ?R2)) 

(exists ?z 

(and (in (pair ?x ?z) ?R1) 

(in (pair ?z ?y) ?R2))))) 

Many Alloy specifications use only comp-1-2 and comp-2-2. In the less common 
cases, Prioni determines the arities at hand and automatically declares and 
axiomatizes the corresponding composition operators. 

Transitive closure is defined in terms of exponentiation. For the latter, we 
need a minimal theory of natural numbers: their definition as an inductive struc- 
ture and the primitive recursive definition of addition, in order to be able to prove 
statements such as (V R, n, m) R n + m = R n . R m . 

5 Translation 



Prioni automatically translates any Alloy specification into a corresponding 
Athena theory. A key aspect of this translation is that it preserves the meaning of 
the Alloy specification. We next show how Prioni translates our example Alloy 
specification into Athena. Each Alloy signature introduces an Athena domain: 

(domain Object-Dom) 

(domain Node-Dom) 



Additionally, each Alloy signature or field introduces a constant set of tuples 
whose elements are drawn from appropriate Athena domains: 



(declare Object (Set-Of Object-Dom)) 

(declare Node (Set-Of Node-Dom)) 

(declare next (Set-Of (Pair-Of Node-Dom Node-Dom))) 
(declare data (Set-Of (Pair-Of Node-Dom Object-Dom))) 



28 



Konstantine Arkoudas et al. 



In our example, Alloy field declarations put additional constraints on the rela- 
tions. The translation adds these constraints into the global assumption base 
(i.e., a set of propositions that are assumed to hold, as explained in Section 3): 



(assert (is-fun next)) 

(assert (is-total-fun Node data)) 



where is-fun and is-total-fun are defined as expected. Each Alloy “function” 
introduces an Athena function symbol (which can be actually a relation symbol, 
i.e., a function to the Athena predefined sort Boolean): 

(declare elms (-> ((Set-Of Node-Dom)) (Set-Of Object-Dom) ) ) 

(define elms-def 
(forall ?n ?result 

(iff (= (elms ?n) ?result) 

(and (and (singleton? ?n) (subset ?n Node)) 

(and (if (empty? (comp-1-2 ?n next)) 

(= ?result (comp-1-2 ?n data))) 

(if (not (empty? (comp-1-2 ?n next))) 

(= ?result (union (comp-1-2 ?n data) (elms (comp-1-2 ?n next)))))))))) 

(assert elms-def) 



where empty-def is as expected. Note that there are essentially two cases in 
elms-def: when (comp-1-2 ?n next) is empty, and when it is not. To facilitate 
theorem proving, we split elms-def into two parts, elms-def-1 and elms-def -2, 
each covering one of these two cases. Both of them are automatically derived 
from elms-def. 

Alloy facts are simply translated as formulas and added to the assumption base: 

(define AllAcyclic 

(forall ?n (not (subset (singleton ?n) (comp-1-2 (singleton ?n) (tc next)))))) 

(assert AllAcyclic) 



Finally, the assertion is translated into a proof obligation: 

(define Equivalence 

(forall ?n (= (elms (singleton ?n)) 

(comp-1-2 (comp-1-2 (singleton ?n) (rtc next)) data))))) 

Recall that all values in Alloy are relations. In particular, Alloy blurs the type 
distinction between scalars and singletons. In our Athena formalization, however, 
this distinction is explicitly present and can be onerous for the Alloy user. To 
alleviate this, Prioni allows users to intersperse Athena text with expressions 
and formulas written in an infix Alloy-like notation and enclosed within double 
quotes. (We will follow that practice in the sequel.) Even though this notation 
retains the distinction between scalars and singletons, it is nevertheless in the 
spirit of Alloy and should therefore prove more appealing to Alloy users than 
Athena’s s-expressions. There are some other minor notational differences, e.g., 
we use as a postfix operator and distinguish between set membership (in) 
and containment (subset). 
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6 Proof 



The assertion Equivalence is an equality between sets. To prove this equality, we 
show that elms is sound: 



and complete: 



ALL n | elms({n}) subset {n} .next* . data 
ALL n | {n}- .next* . data subset elmsCfn}-) 



(1) 

( 2 ) 



The desired equality will then follow from set extensionality. 

The proof uses a few simple lemmas from Prioni’s library of results fre- 
quently used in relational reasoning: 



(define comp-monotonicity "ALL x y R I y in {x}-.R* ==> {y}-.R* subset -Cx)-.R*") 

(define first-power-lemma "ALL x y R I [x y] in R ==> [x y] in R*") 

(define comp-lemma "ALL si s2 R I si subset s2 ==> sl.R subset s2.R") 

(define scalar-lemma "ALL x y R I y in -(x}-.R <==> [x y] in R") 

(define subset-rtc-lemma "ALL n R I {n)- subset {n}.R*") 

(define fun-lemma "ALL n x R | [n x] in R & is-fun(R) ==> -Cx} = {n}.R") 

(define star-pow-lemma "ALL x n R S I x in ({n}.R*).S ==> 

(EXISTS m k I [n m] in R~k & [m x] in S)") 

and a couple of trivial set-theory lemmas: 

(define subset-trans "ALL si s2 s3 I (si subset s2) & (s2 subset s3) ==> si subset s3") 

(define union-lemma "ALL si s2 s I (si subset s) & (s2 subset s) ==> (si union s2) subset s") 

We also need the following two lemmas about next and data: 

(define elms-lemma-1 "ALL n | {n)-.data subset ({n} .next*) .data") 

(define elms-lemma-2 "ALL n | {n}.data subset elms ({n}-) ") 

The first follows immediately from comp-lemma and subset-rtc-lemma using the 
method prove (explained below); the second also follows automatically from the 
definitions of elms, union and subset. 



6.1 Soundness 

The soundness proof needs an induction principle for Alloy lists. Athena supports 
inductive reasoning for domains that are generated by a set of free constructors. 
But Alloy structures are represented here as constant sets of tuples, so we must 
find an alternative way to perform induction on them. In our list example, an 
appropriate induction principle is: 

(V n) (~'(3 m) [n, m\ £ next) =£- P(n) (V n) (V m) [ n , m\ £ next => P(m) => P(n) 

(V n) P(n) 

provided (Vn)n ^ {n}.next + 

The rule is best read backward: to prove that a property P holds for every 
node n, we must prove: 1) the left premise, which is the base case: if n does not 
have a successor, then P must hold for n; and 2) the right premise, which is 
the inductive step: P(n) must follow from the assumption P(m) whenever m is 
a successor of n. The proviso (Vn)n ^ {n}.next + rules out cycles, which would 
render the rule unsound. 
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Athena makes it possible to introduce arbitrary inference rules via primitive 
methods. Unlike regular methods, whose bodies must be deductions, primitive 
methods are defined by expressions. (The distinction between expressions and 
deductions plays a key role in type-w DPLs [2].) A primitive method is thus free 
to generate any conclusion it wishes by performing an arbitrary computation on 
its inputs. Since no guarantees can be made about soundness, primitive methods 
are part of one’s trusted base and must be used sparingly. 

We have implemented the above induction rule with a primitive method 
list-induction parameterized over the goal property P. P is implemented as 
an Athena function goal that constructs the desired proposition for a given 
argument. In this case, we have: 

(define (elms-goal n) "elms({n}) subset {n} .next* . data") 

The primitive method list-induction takes a goal as an argument, constructs 
the two premises from it, checks that they are in the assumption base along with 
the acyclicity constraint, and if successful, outputs (forall ?n (goal ?n)). 

The base step is proved automatically: 



(define base-step 

(! prove "ALL n |~ (EXISTS m | [n m] in next) ==> elms({n}) subset ({n} .next*) .data) " 

[elms-def empty-def scalar-lemma elms-lemma-1] ) ) 

where prove is a binary method. 1 (All method calls in Athena are prefixed 
with ‘ ! which distinguishes them from Athena function calls [2].) A method 
call ( [prove P [A-'-Pn]) attempts to derive the conclusion P from the 
premises P±, . . . , P ra , which must be in the current assumption base. If a proof 
is found, the conclusion P is returned. Currently, Otter is used for the proof 
search. Where deductive forms such as assume (and others explained in Sec- 
tion 3) are used to guide the deduction, prove is used to skip tedious steps. A call 
(! prove P [Pi ■ ■ • P„]) essentially says to Athena: “P follows from P\, , P n by 
standard logical manipulations: universal specializations, modus ponens, etc. 
There is nothing interesting or deep here — you work out the details.” If we are 
wrong, either because P does not in fact follow from Pi , . . . , P n or because it 
is a non-trivial consequence of them, the method call will fail within a preset 
maximum time limit (currently 1 min). Otherwise, a proof will invariably be 
found almost instantaneously and P will be successfully returned. 

The proof of the inductive step is more interesting: 

(pick-any x y 

(assume-let ((hyp " [x y] in next") 

(ihyp (ind-goal y))) 

(diet ((PI (! prove "elms({x}) = {xj-.data union elms({y)-)" 

[elms-def -2 hyp fun-lemma (is-fun next) scalar-lemma empty-def])) 

(P2 (Iprove "{yj.next* subset {x}.next*" [hyp comp-monotonicity 

scalar-lemma first-power-lemma])) 

(P3 (Iprove " ({y} .next*) .data subset ({x} .next*) .data" [P2 comp-lemma] ) ) 

(P4 (Iprove "elms(-[y}) subset ({x} .next*) .data" [P3 ihyp subset-trans] ) ) ) 

(Iprove "elms({x}) subset ({x}. next*) .data" [PI elms-lemma-1 P4 union-lemma])))) 

1 Currently, prove is a primitive method and thus Otter is part of our trusted base. 
However, it is not difficult to implement Otter’s inference rules (paramodulation, 
etc.) as Athena methods and then use them to define prove as a regular method. 
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The key constructs of the proof — (pick-any, assume-let, and diet —are explained 
in Section 3. At this point, both the base case and the inductive step have been 
proved and are in the assumption base, so we can now apply list-induction to 
obtain the desired conclusion: (! list-induction elms-goal). 



6.2 Completeness 

Next we present the completeness proof of the statement {n>. next*, data subset 
elms({n}), for arbitrary n. Viewing the transitive closure next* as the union of 
next fc for all fc, we proceed by induction on k. Specifically, we prove the following 
by induction on k: 

ALL k n m x | [n m] in next“k & [m x] in data ==> x in elms({n}) (3) 

As before, we first define a function goal that constructs the inductive goal 
for any given k: 

(define (goal k) "ALL m n x I [n m] in nexf'k & [m x] in data ==> x in elms ({n}) ") ) 

The following is the inductive proof of 3: 



(by-induction-on ?k (goal ?k) 

(zero (! prove (goal zero) [elms-lemma-2 pow-def-1 scalar-lemma subset-def ] ) ) 

((succ k) (pick-any m n x 

(assume-let ((hyp " [n m] in next~k+l & [m x] in data")) 

(! prove "x in elms({n]-)" [hyp (goal k) pow-def-2 fun-lemma (is-fun next) 

scalar-lemma empty-def elms-def-2 union-def ] ) ) ) ) ) 



Finally, the completeness proof follows, where ind-lemma refers to (3). 



(pick-any n 

(! prove-subsets " ({n} .next*) .data" "elms ({n}) " 

[elms-def star-pow-lemma scalar-lemma ind-lemma] ) ) 



Here prove-subsets is a defined method, which we will now explain. Although 
Otter is helpful in skipping tedious steps, its autonomous mode is not power- 
ful as a completely automatic theorem prover. More powerful theorem-proving 
algorithms that guide the proof search by exploiting heuristics for a particular 
problem domain can be encoded in Athena as methods , which are similar to 
the tactics and tacticals of HOL-like systems. Athena’s semantics guarantee 
soundness: the result of any method call is always a logical consequence of the 
assumption base in which the call takes place. 

A simple example of a method is prove-subsets, which captures the following 
“tactic” for arbitrary sets Si and S2: to prove Si C S2 from a set of assumptions 
A, consider an arbitrary x, suppose that 1 6 Si, and then try to prove x £ S2 
under the assumptions A U {x £ Si}. The justification for this tactic (i.e., the 
fact from which the desired goal will be derived once the subgoals have been 
established) is simply the definition of set containment. Such tactics are readily 
expressible as Athena methods 2 . 

2 Since sets in this problem domain are structured (i.e., elements are usually tuples), 
these methods employ some additional heuristics to increase efficiency. 
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Checking both directions (soundness and completeness) of the correctness 
proof takes about 1 sec in our current implementation. The whole proof for 
this example (including the lemma library and other auxiliary code) is available 
online: http : //mulsaw. lcs .mit . edu/prioni/relmics03 



7 Conclusions 

Prioni is a tool that integrates model checking and theorem proving for rela- 
tional reasoning. Several other tools combine model checking and theorem prov- 
ing but focus on reactive systems and modal logics [19,18] or general first-order 
logic [13], whereas Prioni focuses on structural system properties. Recently, 
Frias et al. [4] have given an alternative semantics to Alloy in terms of fork al- 
gebras [3] and extended it with features from dynamic logic [6]. Further, Lopez 
Pombo et al. [16] have used the PVS theorem prover [14] to prove specifications 
in the extended Alloy. This approach has been used for proving properties of 
execution traces, whereas Prioni has been used for structurally complex data. 

A key issue in the usability of a theorem prover tool is the difficulty of 
finding proofs. We have addressed this issue by lightening the formalization 
burden through our automatic translation and by providing a lemma library that 
captures commonly used patterns in relational reasoning. Athena makes it easy 
to guide the proof, focusing on its interesting parts, while Otter automatically 
fills in the gaps. 
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Abstract. We use fixed-point calculus to characterise winning strate- 
gies in impartial, two-person games. A byproduct is the fixed-point char- 
acterisation of winning, losing and stalemate positions. We expect the 
results to be most useful in teaching calculational reasoning about least 
and greatest fixed points. 



Game theory [BCG82] is an active area of research for computing scientists. For 
example, it is a frutiful source of examples illustating complexity theory, and it 
is also used as the basis for the semantics of model checking. Our interest in the 
area is as a test case for the use of formalisms for the constructive derivation 
of algorithms. Game theory is well-suited to our goals because it is about con- 
structing winning strategies. Moreover, examples of games are easy to explain 
to students, they carry no theoretical overhead, and motivation is for free. 

In the study of games, as in the book “Winning Ways” [BCG82] , a basic as- 
sumption is that all games are terminating. Only limited attention has been paid 
to games where non-termination is possible (so-called “loopy” games [BCG82, 
chapter 12]). In this paper, we study impartial two-person games, in which non- 
termination is a possibility. We show how to characterise winning, losing and 
stalemate positions in terms of least and greatest fixed points of conjugate pred- 
icate transformers. 

The division of positions into winning, losing and stalemate positions is well- 
known (see, for example, [SS93] or [BCG82]) . The contribution of this paper 
is to focus on winning strategies ; we formalise their construction in point-free 
relation algebra. A byproduct is the fixed-point characterisation of the different 
types of position. 

In order to satisfy length restrictions, several proofs are omitted. A full ver- 
sion is available at the first author’s website. 

1 Impartial Two-Person Games 

An impartial , two-person game is defined by a binary relation, denoted here by 
M. Elements of the domain of M are called positions ; pairs of positions related 
by M are called moves. 



R. Berghammer et al. (Eds.): RelMiCS/Kleene- Algebra Ws 2003, LNCS 3051, pp. 34—47, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 
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Fig. 1 . The lollipop game 



Figure 1 is an example of a (non-well-founded) move relation. The positions 
are the nodes in the figure, and moves are indicated by arrows. We call it the 
lollipop game. 

A game is started in a given position. Each player takes it in turn to move; 
in position s, a move is to a position t such that sMl. The game ends when 
a player cannot move; the player whose turn it is to move then loses. 

In fig. 1, the game ends in position 0. In position 1, there is a choice of two 
moves, either to position 0 or to position 2. In position 2, there is no choice of 
move; the only move that can be made is to position 1. The move relation is not 
well-founded because it is possible for a game to continue indefinitely, by cycling 
between positions 1 and 2. 

Allowing the move relation to be non- well- founded introduces additional diffi- 
culties in the development of the theory. For example, in traditional game theory, 
a fundamental element is the definition of an equivalence relation on games; that 
this relation is reflexive is established by a “tit-for-tat” winning strategy (the 
“Tweedledum and Tweedledee Argument” in [BCG82]). But, tit-for-tat is invalid 
in the case of non-well-founded game relations. 

Throughout this paper, we use the Dijkstra-Scholten [DS90] notation for 
predicates and predicate transformers. In particular, we use square brackets to 
indicate that a predicate is true at all positions. For a given relation R, dom.R 
and rng.R are predicates characterising the domain and range of R , respec- 
tively. Formally, for all positions s, dom.R. s = (3 1 :: sRt ) and, for all positions t , 
rng.R.t = (3s :: sRt). The composition of relations R and S is denoted by R* S. 
Specifically, for all s and u, s(R» S)u = (3 1 :: sRt A tSu). 



2 Strategies and Position Predicates 

2.1 Winning Strategies 

A winning position in a game is one from which the first player has a strategy 
to choose moves that guarantee that the game ends, within a finite number of 
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moves, on the second player’s turn to move. A losing position is one from which 
there are only moves into winning positions. All other positions are stalemate 
positions. 

Formally, a winning strategy for game M is a relation W on positions, with 



the following three properties: 

WC M , (1) 

W • M is well-founded , (2) 

(Vt : rng.W.t : (Vit : iMa : dom.W.u )) . (3) 

In words, a winning strategy is a subset of the move relation — (1) — , such 



that repeatedly invoking the strategy, followed by making an arbitrary move, 
cannot continue indefinitely — (2) — , and, from every position in the range of 
the strategy, every move is to a position in the domain of the strategy — (3) — . 

A position s is a winning position if s is in the domain of a winning strategy. 
A position t is a losing position iff every move from t is to a winning position. 
A position that is not a winning position or a losing position is a stalemate 
position. 

In the lollipop game (fig. 1), node 0 is a losing position, since it is vacu- 
ously true that every move from this position is to a winning position. Node 1 
is a winning position — a winning strategy is to move from position 1 to posi- 
tion 0. (Formally, the winning strategy is the relation {(1,0)}.) Finally, node 2 
is a losing position, since every move from this position is to node 1, which we 
have determined to be a winning position. 

There are no stalemate positions in the lollipop game. For several enter- 
taining, non-trivial examples of games with stalemate positions, see [BCG82, 
chapter 12]. 

2.2 Winning and Losing 

From the definition of winning and losing positions, we can identify two proper- 
ties of positions that they must satisfy. First, losing equivales every move is into 
a winning position: for all positions t, 

lose.t = (Vit : t M u : win.u) . (4) 

(This is by definition.) Second, from a winning position there is always a move 
into a losing position: for all positions s, 

win.s =>■ (3t : s M t : lose.t) . (5) 

The proof is straightforward: 

win.s 

= { definition of win } 

(3IT : W inning Strategy .W : dom.W.s) 
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= { definitions of dom.W and rng.W , (3) } 

(3 W -.Winning Strategy. W : (3t :: sW t A (Vu :tMu: dom.W.u ))) 

=>■ { calculus and (1) } 

(3 1 :: s M t A (3 W : W inning Strategy .W : (Vw : t M u : dom.W.u))) 

=> { (4) and calculus } 

(3i : s M t : lose.t) . 

Note that (5) is an implication, not an equivalence. (See the last two steps 
in the calculation.) Knowing that there is a move from position s to a losing 
position (i.e. (3t : s M t : lose.t)) is not sufficient to construct a winning strategy 
with domain containing s. This is illustrated by the lollipop game (fig. 1). An 
ignorant player might repeatedly choose to move from node 1 (a winning po- 
sition) to node 2 (a losing position) in the — mistaken — belief that a winning 
strategy is simply to always leave the opponent in a losing position. 

The converse implication is nevertheless true. Demonstrating, by formal cal- 
culation, that this is the case is the driving force behind several of our calcula- 
tions. 

2.3 The Predicate Transformers Some and All 

From (4), we abstract the predicate transformer All.R , defined by 

All.R.p.s = (Vi : sRt : p.t) , (6) 

and, from (5), we abstract the predicate transformer Some.R , defined by 

Some.R.p.s = (3t : sRt : p.t) . (7) 

In both definitions, R is a relation on positions, p is a predicate on positions, 
and s and t are positions. 

The properties (3), (4) and (5) can be reformulated in a point-free form using 
these predicate transformers. Effective calculation is considerably enhanced by 
the convention of regarding a predicate on positions as a partial identity relation; 
the relation obtained by restricting the domain of a relation, R say, to positions 
satisfying a predicate, p say, is then simply the relation p*R. Similarly, R*p is the 
relation obtained by restricting the range of relation R to positions satisfying 
predicate p. In this way, properties (3), (4) and (5) become: 

W = W • All. M. (dom.W) , (8) 

[lose = All.M.win ] , and (9) 

[win => Some.M.lose] . (10) 

We record some simple properties of Some and All for later use. (The rules 
given here are used more than once. Other rules that are used once only are 
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stated at the appropriate point in a calculation.) A property of All and rng is 
that, for all relations R and all predicates p, 

[All.R.p = All.R. (rng. R^- p)] . (11) 

The function Some is monotonic in its first argument. That is, for all relations R 
and S, and all predicates p , 

[Some.R.p =>■ Some.S.p] <= RCS . (12) 

(The function All is anfzmonotonic in its first argument. But, we don’t use this 
rule.) The predicate transformers Some.R and All.R are monotonic. That is, for 
all relations R , and predicates p and q, 

[Some.R.p => Some.R.q] <1= [p=>q] , and (13) 

[All.R.p =>■ All.R.q] 4= [p=>q\ . (14) 

Consequently, for all relations R , All.R ° Some.R and Some.R ° All.R are also 
monotonic. (We use “°” for the composition of functions.) 

A crucial observation is that, for all relations R, Some.R and All.R are 
conjugate predicate transformers. That is, 

All.R = ■ i ° Some.R ° -> . (15) 

(This is just De Morgan’s rule.) A simple consequence is that the predicate 
transformers All.R ° Some.R and Some.R ° All.R are also conjugate. 



3 Fixed Points 

The main significance of the monotonicity properties (13) and (14) is the guar- 
anteed existence of the least and greatest fixed points of compositions of these 
predicate transformers (where predicates are ordered as usual by “only-if” - 
i.e. implication everywhere ). 

In this section, we first give a very brief summary of fixed-point calculus 
(subsection 3.1) before motivating a possible relationship between the winning 
and losing positions in a game, and fixed points of the predicate transform- 
ers Some.R ° All.R and All.R ° Some.R (subsection 3.2). That these predicate 
transformers are conjugates leads us to give a brief summary of the proper- 
ties of fixed points of conjugate (monotonic) predicate transformers (subsec- 
tion 3.3). The section is concluded by an analysis of moves of different type 
(subsection 3.4). Taken as a whole, the section establishes strong evidence for 
the claim that the winning and losing positions are characterised as least fixed 
points, but does not prove that this is indeed the case. 
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3.1 Basic Fixed-Point Calculus 

We assume that the reader is familiar with fixed-point calculus. The fixed points 
we consider are of monotonic functions from relations to relations, and from 
predicates to predicates (so-called predicate transformers). The ordering on re- 
lations is the subset ordering — a relation is a set of pairs — , and the ordering 
on predicates is “only-if” (i.e. implication everywhere). 

We use /i to denote the function that maps a monotonic endofunction to 
its least fixed point, and v to denote the function that maps a monotonic end- 
ofunction to its greatest fixed point. So, for example, p All.R ° Some.R) de- 
notes the least fixed point of the predicate transformer All.R ° Some.R , and 
v(All.R o Some.R) denotes its greatest fixed point. Sometimes, we need to be 
explicit about the ordering relation (for example, in the statement of the rolling 
rule below). If so, we write it as a subscript to p, or v. 

For predicate transformers, the basic rules of the fixed-point calculus are as 
follows. The least fixed point /i/ of the monotonic predicate transformer / is a 
fixed point of /: 

[pf = f-Pf] , (16) 

that is “least” (i.e. “strongest”) among all prefix points of /: for all predicates p , 

[pf=>p] <= [f-P=>p\ ■ (17) 

The dual rules for the “greatest” (i.e. “weakest”) fixed point are obtained by 
replacing “/j” by V’, and “=>■” by 

Rules (16) and its dual are called the computation rules , and rules (17) and 
its dual are called the induction rules. 

The rolling rule is used several times. Suppose / is a monotonic function to A, 
ordered by <, from B , ordered by C, and suppose g is a monotonic function to B 
from A. Then, fog is a monotonic endofunction on A, and g°f is a monotonic 
endofunction on B. Moreover, 

P<(f°g) = f-PQ(9°f) • (18) 

3.2 Winning and Least Fixed Points 

Eliminating lose from (9) and (10), we get: 

[win => (Some.M ° All.M) . win] . 

Consequently, by fixed point induction, 

[win => v(Some . M ° All.M)] . 

Note that nowhere does this calculation exploit property (2) — the relation 
W • M is well-founded — of a winning strategy W. By doing so, we can strengthen 
the property, replacing “greatest” by “least”. The key is to use a fixed-point 
characterisation of well-foundedness: a relation R is well-founded exactly when 
the least fixed point of the predicate transformer All.R is everywhere true (see 
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eg. [DBvdW97]). Formally, suppose W is a winning strategy, and suppose p is 
an arbitrary predicate. We calculate a condition on p, in terms of the predicate 
transformers Some. M and All. M, that guarantees [dom.W =>■ p\ as follows. 

[dom.W =£■ p] 

<1= { (2) — W • M is well-founded, fixed point induction (17) } 

[All.(W • M).(dom.W^p) => ( dom.W => p)\ 

= { aiming to remove leftmost “(dom.W =>)” , apply (11) } 

[All.(W • M).(rng.(W • M) A dom.W => p) =>■ ( dom.W =>■ p)\ 

= { (3) — in particular, 

[rng.(W • M) A dom.W = rng.(W • M)] } 

[All.(W • M).(rng.(W • M) =>p) =>■ ( dom.W => p)\ 

{ (11) } 

[All.(W»M).p => (dom.W => p)] 

= { Leftmost “(dom.W =>)” has now been removed; 

now introduce Some: 

for all R, [dom.R = Some.R. true], calculus } 

[All.(W*M).p A Some.W. true => p) 

= { All distributes through composition } 

[All.W.(All.M.p) A Some. W.true p] 

4= { for all R, p and q , 

[All. R.p A Some.R. q => Some.R.(p/\q )] } 
[Some.W.(All.M.p) => p] 

<= { W C M — (1), Some is monotonic — (12) } 

[(.Some.M ° All.M).p => p] . 

We conclude that [dom.W =$■ p] if p is any prefix point of Some. M o All. M. Since, 
p(Some.M ° All. M) is the least prefix point of Some. M o All.M , we conclude that 

[win => p(Some. M ° AZ/.M)] . (19) 

A simple calculation gives the corresponding property of lose: 

n(All . M ° Some. M) 

= { rolling rule: (18) } 

All . M . p(Some.M o All. M) 
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4= { (14) and (19) } 

All. M. win 

= { (4), definition of All } 

lose . 



That is, 



[lose => n(All . M o Some.M)] 



( 20 ) 



3.3 Conjugate Monotonic Predicate Transformers 

We remarked earlier that Some.M ° All.M is conjugate to All.M ° Some.M. In 
this section, we give a brief summary of fixed-point theory applied to conjugate, 
monotonic predicate transformers. 

Suppose / and g are conjugate, monotonic predicate transformers. Then, 

->°g = f°~' A no/ =J o-, . (21) 

Negation is a monotonic function from predicates ordered by “only-if” to pred- 
icates ordered by “if” . So, by the rolling rule (18) for fixed points, 

b Vf = v 9\ • (22) 

An easy consequence of (22) is the following lemma. 

Lemma 23 If / and g are conjugate, monotonic predicate transformers, the 
predicates nf, gg and vf Avg are mutually distinct: 

bb/AMsO A ->(/j,f A (vf Avg)) A ->(g,g A (vf A vg))] 

and together cover all positions: 

b/ V fig V (vf A vg)] . 



□ 



3.4 Application to Win-Lose Equations 

Since Some.M o All.M and All.M ° Some . M are conjugate, monotonic predicate 
transformers, (19) and lemma 23 suggest that the winning positions are given 
by the predicate 

g.(Some . M ° All. M) , 
the losing positions are given by 

n(All.M o Some.M) , 
and the stalemate positions are given by 



v(Some . M o All. M) A v(All . M ° Some.M) . 
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We abbreviate p,(Some.M ° All. M) to AP and fj,(All.W\ ° Some. M) to P . We also 
abbreviate -W A^P to 0. 

In the standard game-theory nomenclature [BCG82], “ 0 ” is short for “open” , 
“A/”” is short for “next player wins” and “P” is short for “previous player wins” . 
We use the nomenclature here without interpretation in order to emphasise that 
we have yet to establish that AP describes the winning positions, P describes the 
losing positions, and 0 describes the stalemate positions. 

The following lemma characterises the moves that are possible and not pos- 
sible between the different types of position. (We use “_LL” to denote the empty 
relation.) 

Lemma 24 

(a) From 0 , there is always a move to 0 : [0 => Some.M.O] . 

(b) Every move from 0 to -^O is to AP: 0 • M • -i0 = 0»M»AP . 

(c) Moves from -^O to 0 must start at Af: ->0 • M • 0 = AP*M»0 . 

(d) From Af, there is always a move to P: [Af => Some.M.V] . 

(e) Every move from P is to Af: P»M = P»M »AP . 

(f) Consequently, there are no moves from V to O: P»M »0 = _LL , 

(g) and there are no moves between V and itself: V*M»V = _LL . 

(h) Every move to V is from Af: M»V = Af*M*V . 

(i) Consequently, there are no moves to V from O: 0*VA*V = _LL . 

□ 

Figure 2 summarises the discussion so far. The three disjoint predicates on 
positions, V, Af and O, are shown as “clouds”. A solid arrow indicates the 
(definite) existence of a move of a certain type. A dotted arrow indicates the 
possible existence of a move of a certain type. So, the two solid arrows indicate 
that, for every (D-position, there is a move to an 0-position, and, for every Ap- 
position, there is a move to a P-position. The dotted arrows indicate that there 
may be moves from some 0-positions to AP-positions, from some AP-positions to 
0-positions or AP-positions, and from some P-positions to AP-positions. Just as 
important, the absence of arrows indicates the impossibility of certain moves. 
No moves are possible from P-positions to 0-positions or P-positions, and no 
moves are possible to P-positions from 0-positions or P-positions. 

Suppose that Af does indeed characterise the winning positions. Then, 
lemma 24 establishes that 0 characterises the stalemate positions. After all, 
from 0 it is always possible to remain in 0. Moving out of it would place the 
opponent in an AP-position, which we have assumed is a winning position. So, 
from 0, the best strategy for both players is to remain in 0, waiting for the 
opponent to make a mistake, and thus continuing the game indefinitely. This is 
what is meant by “stalemate”. 

4 Constructing a Winning Strategy 

We now turn to the converse of (19). The proof is constructive: we exhibit an 
algorithm that constructs a winning strategy. Our algorithm is motivated by the 
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Fig. 2. Moves between V-, AT- and O-positions. Solid lines mean there is a move, 
dotted lines mean there may be a move 



following property of the moves from Af to V. (Note that Af*M»V is the set of 
moves from an Apposition to a ^-position.) 

[U»U»V = (gR:: M*All.M.(dom.R))} . (25) 

The fixed-point characterisation suggests how to proceed. We assume that the 
number of positions is finite and consider an algorithm that incrementally com- 
putes a winning strategy W. Initially, W is set to the empty relation (which 
is easily seen to be a winning strategy). Subsequently, W is augmented by ex- 
ploiting the fact that positions satisfying All.M.(dom.W) are losing positions. 
Specifically, moves from positions not in the domain of W to positions satisfying 
All.M.(dom.W) are added to W. Formally, we introduce the function / from 
relations to relations defined by, for all relations R, 

f.R = -i(dom.R) • M • All.N\.(dom.R) , (26) 

and the function g defined by, for all relations R, 

g.R = RUf.R . (27) 

Then, the algorithm is as follows: 

{ number of positions is finite } 

W := _LL { _LL denotes the empty relation } 

; { Invariant: W inning Strategy. W } 

do -i (W = g.W) -► W := g.W 
od 

{ W inning Strategy. W A [dom.W = win = Af] } . 

Note that the function g is not monotonic. (Take, for example, M to be the 
relation {(a, b) , (a, c) } , R to be the empty relation and S to be {(a, b)}. Then, 
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RCS. But, g.R= M, whereas g.S=S. That is, -^(g.RCg.S).) So, although the 
algorithm computes a fixed point of g , standard fixed-point theory does not 
predict its existence. Nor can the rules of standard fixed-point calculus be used 
to reason about a fixed point of g. 

The assumption that the number of positions is finite guarantees termination 
because each iteration either adds at least one position to the domain of IT or 
truthifies the termination condition, and there is an upper bound on the number 
of positions. 

In the case that the number of positions is infinite, the algorithm can some- 
times be used to determine whether a given position is a winning or losing 
position, by repeatedly executing the loop body until the position is added to 
the domain of W (in which case it is a winning position) or to the range of W 
(in which case it is a losing position). However, examples of games are easily 
constructed for which some winning positions are not eventually added to the 
domain of IT, so the procedure does not constitute a semi-decision procedure 
for enumerating the winning positions. (The claim made by the authors in the 
draft paper is thus wrong.) 

The invariant property is simply that IT is a winning strategy. Crucial to 
establishing the converse of (19) is the claim that, on termination, 

[dom.W = win = N] . 

That is, a maximal winning strategy has been constructed (i.e. [dom.W = win\) 
and the winning positions are precisely characterised by the least fixed point of 
the predicate transformer Some. M ° All. M (i.e. [win = Af]). 

To establish the conditional correctness of the algorithm, we must verify 
the invariant property. The invariant is obviously truthified by the assignment 
W := _LL. To establish that it is maintained by the loop body, it suffices to 
verify three properties: 

g.W CM = IT CM , (28) 

Well Founded. {g.W* M) •<= W inning Strategy .W , (29) 

g.W = g.W • All.M.{dom.{g.W)) <= Winning Strategy .W . (30) 

(Compare (28) with (1), (29) with (2), and (30) with (8), the point-free form of 

( 3)0 

Property (28) is obviously true. To prove (29), we use the theorem that, 
for all relations R and S , RUS is well-founded if R is well-founded, S is well- 
founded, and S»R = 1L. (This is a special case of a general theorem on the 
well-foundedness of the union of well-founded relations [DBvdW97].) So, 

Well Founded. {g.W • M) 

4= { above mentioned theorem, g.W = ITU/.IT } 

WellFounded.{W*M) A W ell Founded. {f .W • M) A 
IT* M • /.IT • M = J_L 

= { IT»M is well-founded, since W inning Strategy.W } 
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W ellF ounded.(f .W • M) A = _LL . 

Continuing with each conjunct individually, 

WellFounded.(f .W • M) 

= { fixed-point characterisation of well-founded [DBvdW97] } 

(vX :: f.W* M»X) = _LL 

4= { for all R, {vX :: R»X) = R»R* (vX :: R»X) 

_LL is zero of composition } 

= 11 

<= { definition of /, _LL is zero of composition } 

All. M. (dom.W) • M • -■( dom.W ) = _LL 
4= { All. M. (dom.W) • M = All. M. (dom.W) • M • dom.W 

_LL is zero of composition } 
dom.W • ->( dovi.W ) = _LL 

= { composition of predicates is their conjunction } 

true . 

The proof that = _LLis similar. 

Property (30) is proved as follows. 

g.W • All.M.(dom.(g.W)) 

D { g.W AW; dom and All . M are monotonic } 

g.W • All.M. (dom.W) 

= { g.W = WUf.W, distributivity } 

W • All. M. (dom.W) U f .W • All. M. (dom.W) 

= {by assumption, W inning Str ategy. W . 

So, by (8), [W = W • All. M. (dom.W)}. 

Also, f.W = f .W • All. M. (dom.W) as composition 
of partial identity relations is idempotent } 

WUf.W 

= { definition of g } 

g.W . 

We have thus proved that 

g.W • All M. (dom. (g.W)) A g.W 
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(under the assumption that W is a winning strategy). Equality of the left and 
right sides (that is (30)) follows from the fact that All .M ,(dom.(g .W)) is a partial 
identity relation. 

We now turn to the postcondition. We know that Winning Strategy .W is an 
invariant. So, at all stages, including on termination, [ dom.W => win]. We show 
that the converse implication follows from the fact that, on termination, W is 
a fixed point of g. (Note that g does not have a unique fixed point: M»P is also 
a fixed point of g. We leave the proof to the reader.) 

We have, for all relations R, 

R = g.R 

= { set calculus, definition of g } 

-^(dom.R) • M • All.M. (dom.R) C R 
=> { dom is monotonic } 

[dom.(~^ (dom.R) • M • All.M. (dom.R)) => dom.R ] 

= { for all predicates p and q, 

[dom.(p* M • All.M. q) = p /\ (Some. M° All.M). q] } 
[-^(dom.R) A (S'ome.M ° All. M). (dom.R) => dom.R ] 

= { predicate calculus } 

[(Some.M° All.M). (dom.R) => dom.R] 

=> { fixed-point induction, definition of Af } 

[Af=> dom.R] . 

That is, for all relations i?, 

( R = g.R ) => [A f^dom.R] . (31) 

Combining (31) with (19), we get that, on termination, 

[(win^Af) A (A f => dom.W)] . 

But, since W is a winning strategy, by definition of win, [dom.W => win]. Thus, 
by antisymmetry of implication, on termination, 

[dom.W = J\f = win] . 



5 Conclusion 

There is a very large and growing amount of literature on game theory — too 
much for us to try to summarise here — and fixed-point characterisations of 
winning, losing and stalemate positions are likely to be well-known. Nevertheless, 
the properties we have proved are often justified informally, or simply assumed. 
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For example, Schmidt and Strohlein [SS93] state lemma 24, but they provide 
no formal justification. Berlekamp, Conway and Guy [BCG82, chapter 12] assert 
that every position is in AT, V or O, and describe the algorithm for calculating V- 
positions. But, their account is entirely informal (in the spirit of the rest of the 
book, it has to be said). 

Surprisingly, exploitation of the simple fact that the predicate transformers 
All . M and Some . M are conjugate seems to be new; if it is not, then it appears 
to be not as well-known as it should be. Also, our focus on winning strategies 
rather than winning positions appears to be novel; we have yet to encounter any 
publication that formalises the notion of a winning strategy. 

However, it would be wrong to claim that this paper presents novel results. 
But that is not our goal in writing the paper. Our goal is to use simple games 
to explain, in a calculational framework, the all-important concepts of least and 
greatest fixed points to students of computing science. Of course, we would not 
present this paper, as written here, to our students -concrete examples like 
those discussed by Berlekamp, Conway and Guy are vital— but it is on the 
extent to which our paper succeeds in providing a basis for teaching material 
that we would wish the paper to be judged. 
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Abstract. We present a new algorithm for checking the shape-safety 
of pointer manipulation programs. In our model, an abstract, data-less 
pointer structure is a graph. A shape is a language of graphs. A pointer 
manipulation program is modelled abstractly as a set of graph rewrite 
rules over such graphs where each rule corresponds to a pointer manipu- 
lation step. Each rule is annotated with the intended shape of its domain 
and range and our algorithm checks these annotations. 

We formally define the algorithm and apply it to a binary search tree in- 
sertion program. Shape-safety is undecidable in general, but our method 
is more widely applicable than previous checkers, in particular, it can 
check programs that temporarily violate a shape by the introduction of 
intermediate shape definitions. 



1 Introduction 

In imperative programming languages, pointers are key to the efficiency of many 
algorithms. But pointer programming is an error-prone weak point in software 
development. The type systems of most current programming languages cannot 
detect non-trivial pointer errors which violate the intended shapes of pointer 
data structures. From a programming languages viewpoint, programmers need 
means by which to specify the shapes of pointer data structures, together with 
safety checkers to guarantee statically that a pointer program always preserves 
these shapes. 

For example, Figure 1 defines a simple program for insertion in binary search 
trees, written in a pseudo-C notation. Ideally the type system of this language 
should allow a definition of BT to specify exactly the class of binary trees, and the 
type checker would verify that whenever the argument t is a pointer to a binary 
tree and insert returns, the result is a pointer to a binary tree. Such a system 
would guarantee that the program does not create any dangling pointers or 
shape errors such as creating sharing or cycles within the tree and that there are 
no null pointer dereferences. It would not guarantee the stronger property that 
insert does insert d properly at the appropriate place in the tree because that 
is not a pointer safety issue. 

The method developed in our Safe Pointers by Graph Transformation 
project [SPG] is to specify the shape of a pointer data-structure by graph reduc- 
tion rules, see Section 2 and [BPR03b]. Section 3 models the operations upon the 
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BT ^insert (datum d, BT *t) = { 
a~ : = t ; 

while branch(a) && a->data != d do 
if a->data > d 
then a~: = a->left 
else a~: = a->right; 
if leaf (a) 

then *a := branch-[data=d, left=leaf, right=leaf I ; 
return (t) 



Fig. 1 . Binary search tree insertion program 



data structure by more general graph transformation rules. Section 5 describes 
our language-independent algorithm for checking shape preservation, which is 
based on Fradet and Le Metayer’s algorithm [FM97, FM98]. It automatically 
proves the shape safety of operations such as search, insertion and deletion in 
cyclic lists, linked lists and binary search trees. It can also handle operations that 
temporarily violate shapes if the intermediate shapes are specified, see Section 4. 
Section 6 considers related work and concludes. 

This paper formalises the overview we gave in [BPR03a], a much more de- 
tailed explanation including the proofs omitted from this paper and a number 
of alternative checking algorithms is provided by the technical report [Bak03]. 

2 Specifying Shapes by Graph Reduction 

A shape is a language of labelled, directed graphs. This sections summarises our 
method of specifying shapes (see [BPR03b]) and presents an example specifica- 
tion of binary trees. 

A graph G = (Vg, Eq, sq, tG, Ig, m d) consists of: a finite set of nodes Vg] 
a finite set of arcs Eq] total functions sgj^G : Eq — > Vg assigning a source and 
target vertex to each arc; a partial node labelling function Iq '■ Vg — > Cy] and 
a total arc labelling function me : Eq — > Ce- Graph G is an abstract model of 
a pointer data structure which retains only the pointer fields. Each node models 
a record of pointers. Nodes are labelled from the node alphabet Cy to indicate 
their tag. Graph arcs model a pointer field of their source node; their label, 
drawn from the arc alphabet Ce indicates which pointer field. The label type 
function type : Cy — * p(Ce) specifies that if node v is labelled l and the source 
of arc e is v then the label of e must be in type(l) and e must be the only such 
arc. Together, ( Cv,Ce , type) form a signature E and G is a E-graph. 

Graphs may occur in rewrite rules or as language (shape) members. Language 
members are always E -total meaning that every node v is labelled with some l 
and the labels of the arcs whose source is v together equal type (l ); so they model 
closed pointer structures with no missing or dangling pointers. 
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A graph morphism g : G — > H consists of a node mapping gv '■ V G — > Vh and 
an arc mapping g E '■ E G — » Eh that preserve sources, targets and labels: sh ° 
gE = gv ° s G , t H o g E = g v o t G , m H o g E = m G and ln(gv(v)) = l G {v) for all 
nodes v where l G (v) ^ -L. An isomorphism is a morphism that is injective and 
surjective in both components and maps unlabelled nodes to unlabelled nodes. 
If there is an isomorphism from G to H they are isomorphic , denoted by G = H. 
Applying morphism g : G — > H to graph G yields a graph gG where: V gG = gvVG 
(i.e. apply g v to each node in V G ); E gG = g E E G ; s G (e) = n <t4> s gG (g E (e)) and 
similarly for targets; m G (e) = m <=> m gG (g E (e)) = m; l G {ri) = l <t=> l gG (gv(n)) = 
l. 

A graph inclusion H D G is a graph morphism g : G — > H such that g(x) = x 
for all nodes and arcs x in G. 

A rule r = (L D K C R) consists of three graphs: the interface graph K 
and the left and right graphs L and R which both include K . Intuitively, a rule 
deletes nodes and arcs in L — K, preserves those in K and allocates those in 
R — K. Our pictures of rules show the left and right graphs; the interface is 
always just their common nodes which are indicated by numbers. 

Graph G directly derives graph H through rule r — (L D K C R) 7 injective 
morphism g and isomorphism i, written G => H or G => r ,g,i H, if the diagram 
below consists of pushouts (1) and (2) and an i arrow (see [HMP01] for a full 
definition of pushouts) . 



L 2 K C R 
9 i (1) I (2) I 
G D D C H' 4 H 

Injectivity means that distinct nodes in L must be distinct in gL; the pushout 
construction means that deleted nodes, those in gL — gK, cannot be adjacent to 
any arcs in D if the derivation exists (the dangling condition). 

If H = G or H is derived from G by a sequence of direct derivations using 
rules in set 1Z we write G H or G =>* H. If no graph can be directly derived 
from G through a rule in 1Z we say G is 7 Z-irreducible. 

A GRS (graph reduction specification) S = (A, 1Z , Acc) consists of a signa- 
ture A, a set of H-total rules 1Z and a A-total 7?.-irreducible accepting graph Acc. 
It defines a language C(S) = {G \ G Acc}. 

So a GRS is a reversed graph grammar: Acc corresponds to the start graph 
and 1Z corresponds to reversed production rules. The rules are E -total meaning 
that if G =>7 z H then G is a H-total graph iff H is a H-total graph. So GRSs 
are guaranteed to define languages of pointer structure models. 

A GRS S is polynomially terminating if there is a polynomial p such that for 
every derivation G Gi =>n ■ ■ ■ G n , n < p(#V G + #E G ). It is closed if 
G € £(5) and G H implies H £ C(S). A PGRS is a polynomially terminat- 
ing and closed GRS. Membership of PGRS languages is decidable in polynomial 
time; this and sufficient conditions for closedness, polynomial termination and 
U-totality are discussed in [BPR03b], 
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Set = ( {R, B, L}, {o, l, r}, 

{Ri-^ {o}, B i— > {l,r},L {}}} 




BtoL : 




Fig. 2. A PGRS of rooted binary trees, BT. 



l 




For example, a rooted binary tree is a graph containing one root node la- 
belled R and a number of other nodes labelled B (ranch) or L(eaf). Branch nodes 
have l{e ft) and r(ight) outgoing arcs, the root has one o(rigin) outgoing arc and 
leaf nodes have no outgoing arcs. Branches and leaves all have one incoming arc, 
the root has no incoming arcs and every node is reachable from the root. If every 
branch contains a data item, the leaves contain no data and the data is ordered 
it is a binary search tree. 

The data-less shape is specified by the PGRS BT in Fig. 2. The BT signature 
allows nodes to be labelled R, B or L , where R-nodes have an o-labelled outgoing 
arc, R-nodes have two outgoing arcs labelled l and r, and T-nodes have no 
outgoing arcs. The BT accepting graph Accbt is the smallest possible tree and 
every other tree reduces to it by repeatedly applying the reduction rule BtoL to 
its branches. No non-tree reduces to Accbt because BtoL is matched injectively 
and cannot be applied if deleted nodes are adjacent to arcs outside the left-hand 
side of the rule, see [BPR03b] for an example. BT is polynomially terminating 
and closed because BtoL is size reducing and non-overlapping. See [BPR03b] for 
full details. 

3 Graph Transformation Models of Pointer Programs 

Textbooks on data structures often present pointer programs pictorially and then 
formalise them as imperative programs. In our approach a pictorial presentation 
is a formal graph-transformation model of a program. 

A model pointer program in the sense of this paper is a set of rules with 
a strategy for their application (see [HP01] for more on the the syntax and 
semantics of such programs). Programs may temporarily violate the shape of 
a graph so the rule construction is not as restricted as the T-total reduction 
rules. 

The rules in Fig. 3 model all the pointer manipulation steps in a binary search 
tree insertion program such as that in Figure 1. They manipulate graphs over 
two signatures, AT is an extension of BT which allows A-labelled nodes with 
two outgoing arcs labelled a and o. The idea is to model insertion by replacing 
the R-labelled tree root with an A-labelled auxiliary root , moving the a-arc to the 
insertion position and changing the tree structure at that point appropriately. 
So the control strategy is to apply the Begin rule once, then apply GoLeft and 
GoRight any number of times, then apply either Insert or Found. The seman- 
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Begin : BT X AT 




l 




GoLeft : AT X AT = 



1 




GoRight : AT x AT 



l 




Found : AT X BT = 1 



{1=2,17^2} 




2 



1 




Insert : AT X BT = 



{1=2,17^2} 



l 




Fig. 3 . Transformation rules modelling binary search tree insertion. In Found and 
Insert, nodes 1 and 2 may either be distinct or identical 

tics of our program is the following binary relation — >i ns on BT graphs, which 
represents every possible insertion of every possible element in every possible 
tree. 



A simple type-checker verifies that the declared range shape of Begin matches 
the domain shape of GoLeft and GoRight and that the declared range shape 
of GoLeft and GoRight matches their domain shape and the domain shape 
of Insert and Found. Shape checking aims to prove the individual rule shape 
annotations. 

The Begin rule relabels the root A and introduces an auxiliary pointer a to 
the origin; this is a simple model of procedure call. Then, if the branch pointed to 
by a contains the datum to insert, the procedure should just return, removing a 
and relabelling the root back to R, which is done by Found. If a points to a leaf 
the datum is not present in the tree so a new branch should be allocated to 
hold it and the procedure should return, this is done by Insert. If a points to 
a branch and the datum to insert is less than the branch datum, a should move 
to insert in its left child, this is done by GoLeft; GoRight is similar. 
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Fig. 4. PGRS of rooted binary trees with an auxiliary pointer, AT 



A slightly simpler model of tree insertion is possible by giving the auxil- 
iary pointer a separate parent from the origin (see [BPR03b]) but this version 
illustrates the ability of our method to check shape-changing rules. 

4 Specifying Intermediate Shapes 

The insertion rules of Fig. 3 temporarily violate the BT shape by relabelling 
the root and introducing an auxiliary pointer a. Temporary shape violation is 
essential in many pointer algorithms such as red-black tree insertion or in-place 
list reversal. Our approach to such algorithms is to define their intermediate 
shapes by PGRSs, annotate each of their rules with the intended shapes of their 
domain and range, and check these shape-changing rules. 

Another approach would be to separate the heap-resident branch and leaf 
nodes from the stack-resident root nodes in our graphs. This way the tree inser- 
tion rules can be treated as non heap-shape changing but this approach would not 
allow the list reversal or red-black insertion examples to be treated as non-shape 
changing; in general, specifying intermediate shapes seems a better solution. 

The rules in Fig. 3 are annotated with the intended shape of their domain and 
range: during the search phase the shape should be rooted binary trees where 
the root node is labelled A and has an auxiliary arc a pointing somewhere in 
the tree, in addition to the origin arc. This shape AT is specified formally by the 
PGRS in Fig. 4. The new rules BtoLl and BtoLr reduce branches if one of their 
children is the target of the auxiliary pointer a, which they move up the tree. 
Thus the smallest AT-graph, which is the accepting graph, has one leaf pointed 
to by both arcs of the root A. 

5 Checking Shape Safety 

An annotated rule t : S x T is shape-safe if for every derivation G => t H, 
G e C(S) implies H £ C(T). 
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Our checking algorithm builds an ARG (abstract reduction graph) , which is 
a finite representation of graphs in C(S) and the domain of => t and rewrites this 
ARG to a normal form (Section 5.2). Then it builds another ARG to represent 
graphs in C(T) and the range of => t and tests whether this includes the left ARG 
(Section 5.3). To help represent infinite languages finitely, ARGs only include 
basic contexts (Section 5.1); the ARG inclusion test proves shape-safety for basic 
contexts; the congeniality test extends the safety result to all of C(S) in the 
domain of => t (Section 5.4). 

The algorithm is necessarily incomplete because shape safety is undecidable 
in general. This follows from [FM97] which reduces the inclusion problem for 
context-free graph languages to a variant of shape safety. In practice, ARG 
construction may not terminate and if it does then some safe rules may fail the 
tests. The closedness property of PGRSs helps to improve ARG construction 
and the success rate of the algorithm. 

5.1 Graph Contexts 

An ARG represents all the contexts for the left (or right) graph of a rule. In- 
tuitively, if G £ C(S) f! dom(=> t ) then G is the left graph of t glued into some 
graph context C. We denote this by G(A|). The ARG represents the set of all such 
contexts C as a kind of graph automaton: the derivation G(T[) =>* Accs can be 
broken down into a sequence of derivations Ci(|Ai) => L 2 , . . . , C n l\L n ty => Accs 
where Ci is the smallest context needed for the *th derivation to take place and C 
may be obtained by gluing all the Ci together. So the ARG is an automaton 
whose nodes are the Lfs of all such possible derivation sequences and whose arcs 
are labelled with the Ci necessary for the derivation from source to target. 

There are two issues addressed in this section before the formal definition 
of ARGs: 1. All the represented contexts must be valid graphs; our definition 
of graph contexts ensures this. 2. The ARG must be finite; this is not always 
possible but it is often achievable by restricting the ARG to represent basic 
contexts only. 

A context is a graph in which some nodes are internal. Internal nodes must be 
labelled and have a full set of outarcs, their inarcs cannot be extended when the 
context is extended. This restriction prevents ARGs representing invalid graphs, 
which otherwise would arise, for example if nodes allocated during a derivation 
are then glued into a context which must exist before those nodes. 

Formally, a £ -context is a pair C = (G, I) where G is a JF-graph and I CVq 
is a set of internal nodes such that \/v £ I.Ig{v) /1A {m g (e) | sc(e) = u} = 
type ( Ig(v )). The boundary of G, boundary(C ) = Vq — I, is all the external nodes 
of C. Equality, intersection, union and inclusion extend to contexts from graphs 
in the obvious way. A reduction rule is converted to a pair of contexts by the 
following function: 

ruletocxts((L D K C R)) = ((L, V L - V K ), (R, V R - V K )). 

A context morphism g : (G, I) — > (H, J) is a graph morphism g : G — > 
H which preserves internal nodes and the indegree of internal nodes: gyl C 
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J and v £ I implies indegree G (v ) = indegree H (g(v)) where indegree A (v) = 
#{e| t A (e) = v}. 

A direct derivation of context D from C through rule r and morphisms g 1 h 
is given by C => r ,g,h D where r = (L D K C R) and the following diagram is 
two pushouts and h is a context isomorphism. 

(L, Vl - V K ) 2 ( K , 0) C (R, V R - V K ) 

g i i I 

C D B C D' Ad 

A direct derivation preserves all the external nodes of C: only internal nodes 
can be deleted and allocated nodes are internal. C<\D\) means glue D into C . It 
is defined if the following diagram is a pushout: the arrows are context inclusion 
morphisms; C (~l D is discrete, unlabelled and all its nodes external; and D and 
C<\D\) are contexts. 



CHD -> D 

l l 

c c cm 

The pushout construction means that C<\D\) includes everything in C and D 
and nothing else (and only nodes internal in C or D are internal in C(|D[)); the 
context inclusions guarantee that every internal node of D has exactly the same 
inarcs and outarcs in CflDD; the restrictions on C fl D guarantee that C is the 
smallest context needed to form C<\D\). Note that internal nodes of D cannot 
occur in C but external nodes of D can be made internal in C(\D\) by being 
internal in C ; and C does not have to be a proper context as its internal nodes 
can lack some of the inarcs or outarcs they have in C<\D\). So (D is associative 
but not commutative. 

A useful property is that (D cannot prevent reducibility by breaking the dan- 
gling condition, so if C => D then A(CD => X<\D\). 

In a basic direct derivation of context C glued in context A, there must 
be a non-trivial overlap between C and X. Formally, basic(X(\C\) =^ r ,g A d D) if 
r = (L D K C i?); context X is minimal, AlflCD = gL U C; the derivation exists, 
A^CD => r ,g,id D\ and the overlap is non-trivial, gLnC ^ gl\ n C. 

A non-basic derivation leaves C unchanged (but the reduction rule left graph 
may overlap some of C). Every derivation of the form A(C|) =>* Acc can be 
reordered and split into two consecutive derivations X (CD =>* Y (CD =k* Acc 
where the direct derivations in the first sequence are all non-basic and those 
in the second sequence are all basic. The left ARG represents all such Y\ the 
inclusion test checks that the transformation is safe for all graph contexts of the 
form F(CD and the shape congeniality test extends the result to all graphs of 
the form A (CD- 
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ARG(C, S) = BuildcxT{D . D , S ) where D = reduce(C, =>s) 

Build cxt{C, A, S = (X, 1Z, Ace)) = 

for each(D,X) £ ( {(reduce (D,=> iz),X) \ r £ 1Z, basic(X(\Cty => r , g ,id D)} 
U{(X(C|,X) | Acc,C? Acc})/** 

do if 3C' £ Va, context isomorphism i.D = iC' then A A U 



C^C' 



else Build cxt (D, A U 

return A 

reduce(C, =>) = if C => C' then reduce (C ' , =$■) else C 



C D 



S) 



Fig. 5. Context-based ARC construction algorithm 



5.2 Abstract Reduction Graphs 

An ARG A = ( V,E,m,s,t ) is a directed graph comprising a set of contexts V 
(the nodes); a set of arcs E; an arc labelling function m : E — » Context and arc 
source and target functions s,t : E — > V. 

For transformation rule t : SxT, where ruletocxts(t) = ( C , D), the left ARG, 
ARG(C, S) is produced by the algorithm in Fig. 5. 

Intuitively, an ARG is built by starting with node C . For every context X (up 
to isomorphism, denoted / = in Fig. 5) such that A(C|) has a basic derivation 
to D or AdC) is Acc, we add an arc from C to node D , or node Acc, labelled X 
(the boxed expressions in Fig. 5 denote graphs pictorially). The process repeats 
on these new nodes. In general, Build cxt is non-terminating so safety check- 
ing often fails with certain GRSs. The report [Bak03] considers conditions for 
termination — a terminating, or size-reducing, GRS is not sufficient. 

The closedness property of PGRSs allows us to reduce the contexts D - 
and the initial context C — before adding it to the ARG (and makes reduce 
deterministic). This reduces ARG size and improves the likelihood of Build cxt 
terminating. 

Raw ARGs can be very large and they can include garbage paths that do 
not lead to the accepting graph. Therefore we use a system of ARG normalisa- 
tion rules to eliminate excess nodes by merging and deleting arcs where possible. 
Fig. 6 shows an ARG: the left node is the context C\ the right node is the accept- 
ing graphs of AT; positively numbered graph nodes are external; Unnumbered 
or negatively numbered graph nodes in ARG labels are internal. So for example, 
the top loop arc in this ARG means that gluing the central node into the loop 
label forms a context from which we can derive the central node (after renaming 
the boundary node 2 to 3 ). 

Every path from C to Accs in A = ARG(C, S) represents a context of C. The 
context-paths of A are cxtpaths(A) = {p £ paths(A)\s p = C A t p = Accs} where 
the paths in graph A are all sequences of arcs such that the target of each arc is 
the source of its successor in the sequence, paths(G) = { (ei)^_ 1 |e* £ Ea A 1 < 
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Fig. 6. Normalised ARG for the left hand side of Found (nodes 1 and 2 distinct) 



i < n => tAifii) = s^ej+i)}; the source of a path p = (ej}" =1 is s p = sa(c i) and 
the target of p is t p = tA{e n )- 

The context represented by a context-path p may be extracted by the follow- 
ing function which glues the arc labels together and uses a renaming morphism 
a to ensure that the right nodes are identified at each gluing. 

cof() = 0 

cof(C — > D) +p = gac,x, g ,D,pP<\X\) 
where D = reduce ( X (IC'D , =>) 

P = cofp 

otc,x,cr,D,Y ■ (Rng(cr) - Dom(a)) U (VEy - VE D ) — > 

{VE - VEcuxud) ~ Rng(cr) 

The example ARG in Fig. 6 represents all the graphs depicted in Fig. 7: 
starting from an instance of the Found rule left graph we can reduce the branch 
pointed to by a to a leaf with one BtoL derivation then any number of BtoLl or 
BtoLr derivations (following the cycle in the centre of the ARG) move the a-arc 
up until it points to a child of the root branch; finally a BtoLl or BtoLr derivation 
at the root results in the accepting graph. So the basic contexts include the path 
from the a-arc up to the origin; the reduction of the other sub-trees to leaves 
are always part of the non-basic derivations. 

The ARGs generated by our algorithm have the following properties. ARG 
context-path completeness says every basic context is represented by some 
context-path: if G = X<\C\j and G =>g Accs then there is a path p £ 
cxtpaths(ARG(C, S)).G =>* s cofpt\C\) Accs ■ ARG context-path soundness 
says every context-path represents some basic context: if ruletocxts{r) = (C, D ) 
and G =>* cofpt\C\) and p £ cxtpaths(ARG(C 1 S)) then G Accs an( i 
G £ dom(=> r ). 



